Cloud computing and third-country transfers of personal data
When personal data is processed, it must be ensured that it is processed in a manner that ensures the appropriate security of the personal data. This applies whether the data is processed in computer systems within the premises of the controller or elsewhere. Such processing in a cloud computing environment is therefore permitted, provided that adequate security is ensured.
However, the transfer of personal data out of the country is only permitted if the law of the country of destination provides adequate protection for personal data.
All countries within the EEA region as well as those countries advertised by the Data Protection Authority as safe third countries meet these conditions, a list of which can be accessed in the Data Protection Authority’s advertisement for transfer of personal data to other countries, which can be viewed under the flip-off “Laws and regulations” on the website.
If the country of destination is not considered a secure third country or the company is a secure company of destination, personal data may not be transferred there unless certain safeguards have been applied, such as the company has adopted binding company rules, follows standard provisions on personal data protection or adopts standard codes of conduct.
Exemptions due to special circumstances
However, there are limited exceptions to this due to special circumstances, e.g. if there is your informed consent for the transfer of personal information about you, if sharing is necessary for the performance of a contract between you and the responsible party (i.e. the party responsible for the transfer) or if sharing is necessary for important public interests.
However, it should be emphasized that the exemptions of the Personal Protection Act can only support the transfer of personal information in very limited cases, and that the personal information transferred in this way is only protected according to the legislation of the country to which it is sent.
Adecuacy Decision on Transfer of Personal Data to the United States
The European Union has adopted a new adequacy decision regarding the transfer of personal data from Europe to the US. The decision is intended to provide an adequate level of protection for personal data transferred from Europe to the US. It replaces the earlier agreement, EU US Privacy Shield, which has been annulled by the European Court of Justice.
The new agreement means that the US will ensure adequate protection of personal data transferred from Europe to US companies based on the agreement.
This is particularly true for US companies that formally submit to the obligations provided for in the agreement regarding the protection and treatment of personal data.
Among other things, the agreement limits the access of US intelligence services to the personal data, as well as the possibility for European citizens to seek legal rights if they consider that the treatment of their personal data by US companies is in violation of the agreement.
