GDPR-compliant into the cloud after Schrems IIIn July 2020, the European Court of Justice issued the judgment "C-311/18" (Schrems II judgment), overturning the US Privacy Shield. Until then, this regulated the exchange of data from Europe to third countries, such as the USA.
After this ruling, there was widespread uncertainty regarding the use of American cloud services. Finally, in June 2021, the European Data Protection Board (EDPB) published its final recommendations on the transfer of personal data following the Schrems II ruling.
This has created clear and reliable guidelines to which companies must adhere. In summary, this means that
- the use of American cloud services is not GDPR-compliant without further measures (even if the servers are located in Europe).
- Standard contractual clauses are no longer sufficient to achieve GDPR compliance.
- The security solutions offered by cloud providers (such as Microsoft E5 license) are not sufficient to achieve GDPR compliance.
Is GDPR-compliant cloud usage still possible?
The good news first: GPDR-compliant cloud use is possible even after Schrems II - and not as complicated as first impressions might suggest. With the right technical measures, users work as usual, while personal data is encrypted and decrypted in the background.
Even companies in highly regulated industries such as banks can migrate to the cloud without hesitation and benefit from the advantages of modern multi-cloud environments.
Thanks to the EDPB's recommendations for action on the Schrems II ruling, which have now finally been formulated very clearly, it is clear which requirements a solution must meet in order to be GDPR-compliant.
You can find out what companies need to pay attention to in order to be able to use every cloud application in a GDPR-compliant manner in the current eperi whitepaper on the topic of "GDPR-compliant into the cloud after Schrems II".