Coordinated Enforcement Action, use of cloud-based services by the public sector

Brussels, 15 February - Today marks the kick-off of the first coordinated enforcement action of the European Data Protection Board. In the coming months, 22 supervisory authorities across the EEA (including EDPS) will launch investigations into the use of cloud-based services by the public sector.

This series of actions follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities (SAs).

According to EuroStat, the cloud uptake by enterprises doubled across the EU in the last 6 years. The COVID-19 pandemic has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules. Through coordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data.

Over 80 public bodies in total will be addressed across the EEA, including EU institutions, covering a wide range of sectors (such as health, finance, tax, education, central buyers or providers of IT services). Building on common preparatory work by all participating SAs, the CEF will be implemented at national level in one or several of the following ways: fact-finding exercise; questionnaire to identify if a formal investigation is warranted; commencement of a formal investigation; follow-up of ongoing formal investigations. In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.

The results will be analysed in a coordinated manner and the SAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis before the end of 2022.

Further information:

• BE DPA: L’APD participe à la première action coordonnée annuelle européenne sur l'utilisation du cloud par le secteur public (FR), De GBA neemt deel aan de eerste Europese jaarlijkse gecoördineerde actie over het gebruik van de cloud door de overheid (NL), The BE DPA participates in the first European annual coordinated action on the use of cloud by the public sector (EN).
• BG DPA: Европейският комитет по защита на данните започна първото координирано правоприлагащо действие относно използването на облачните услуги от публичния сектор
• DE DPA: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit: Koordinierte Durchsetzung durch 22 Aufsichtsbehörden zur Nutzung von Cloud-Diensten durch den öffentlichen Sektor.
• DE DPA: Der Bayerische Landesbeauftragte für den Datenschutz (BayLfD): Cloud-Dienste im öffentlichen Sektor.
• DE DPA: Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg: EU-weite Prüfung zur Nutzung von Cloud-Diensten durch den öffentlichen Bereich.
• EDPS: Data protection and use of cloud by public sector: the EDPS initiates and participates in the 2022 Coordinated Enforcement Action of the EDPB
• EL DPA: Συμμετοχή της Αρχής Προστασίας Δεδομένων στη συντονισμένη δράση του ΕΣΠΔ για τη χρήση υπηρεσιών υπολογιστικού νέφους στο δημόσιο τομέα (EL), Participation of the Hellenic DPA in the coordinated enforcement action of the EDPB on the use of cloud-based services by the public sector (EN)
• ES DPA: La AEPD participa en la primera acción europea coordinada para analizar el uso de la nube en el sector público.
• ET DPA: Eesti osaleb üleeuroopalises avaliku sektori pilveteenuste kasutamise järelevalves.
• FI DPA: Tietosuojavaltuutetun toimisto käynnistää selvityksen julkisen sektorin pilvipalvelujen käytöstä osana Euroopan valvontaviranomaisten yhteistä toimenpidettä.
• FR DPA: Priority topics for investigations in 2022: commercial prospecting, cloud and telework monitoring (EN).
• IS DPA: Samræmdar úttektir innan EES á notkun opinberra aðila á skýjaþjónustu.
• IT DPA: Cloud nella PA: i Garanti europei lanciano un'indagine coordinata.
• LI DPA: Europäische Initiative zur Nutzung von Cloud-gestützten Diensten durch öffentliche Stellen
• LT DPA: Lietuva prisidės prie koordinuotų tikrinimų dėl asmens duomenų apsaugos viešajam sektoriui naudojantis debesijos paslaugomis.
• LV DPA: Eiropas Datu aizsardzības kolēģija uzsāk pirmo koordinēto pārbaudi par mākoņdatošanas izmantošanu publiskajā sektorā.
• NL DPA: Privacytoezichthouders onderzoeken gebruik clouddiensten door overheidsinstellingen.
• PT DPA: Ação coordenada da ue para investigar o uso de serviços de 'cloud' no setor público.
• SE DPA: Dataskyddsmyndigheter i EU ska tillsammans undersöka hur molntjänster används inom offentlig sektor.
• SI DPA: IP se pridružuje prvemu usklajenemu ukrepu na temo uporabe oblačnih storitev v javnem sektorju.
• SK DPA: Úrad na ochranu osobných údajov SR sa zapája do prvej koordinovanej akcie EDPB.