Since its launch last year, the 2020 IaaS+ Framework has been making it easy for the European research and education community to access a wide portfolio of cloud services and platforms tailored to their needs. However, while all suppliers selected via the OCRE project tender are bound by GDPR (General Data Protection Regulation) regulations, there are some necessary and fundamental considerations about international data transfers and GDPR compliance that organisations should make before selecting the providers that meet their requirements.
In order to address the most common questions and provide guidance to European NRENs and connected institutions that are seeking to use – or actively using – the Framework, a team formed by HEAnet’s Garvan McFeeley and Leanne Walsh and supported by GÉANT’s GDPR & IPR Legal Advisor Magdalena Rzaca prepared a GDPR Transfer Guide for National Research and Education Networks (NRENs) on the 2020 IaaS+ Framework. The document, openly accessible via the GÉANT Clouds website, does not constitute legal advice and it is purely intended as a means to stimulate reflection about personal data processing and international transfers, and to serve as an aid to navigate this complex field and evaluate possible risks.
Compliance is a journey, not the destination
The proposed assessment starts from the most fundamental question when we talk about GDPR: “Does your organisation process personal data?”. Today, most organisations deal in some way with personal data, which is understood as any information related to an identified or identifiable natural person. If that is the case in your institution, you will need to go into more careful examination and through a series of detailed questions.
Is the platform operated by an entity within the European Union (EU) or within a location in the European Economic Area (EEA)? Is there a transfer of data outside EU/EEA? Is there an adequacy decision in place for your country? Answering these questions will guide you in the selection (or in the exclusion) of a certain platform provider.
Regardless of where the platform you selected resides, we strongly suggest going through the Data Transfer Checklist, to ensure that you have considered all possible aspects related to GDPR and data transfer. Additionally, we recommend regularly checking your levels of data protection, to consider different data encryption options, and to study measures to protect your data from potential breaches.
Magdalena Rzaca, GÉANT: “While security without privacy can exist, privacy requires an adequate level of security to be in place.”
International data transfer in a post-Schrems II world
Almost two years after the Schrems II judgement, its implications keep resonating and being discussed. If your organisation is dealing with potential international transfer of data, especially to countries where there is no adequacy decision in place, as in the US, you will need to also consider a Transfer Impact Assessment.
A Transfer Impact Assessment (TIA) is a flexible risk assessment which needs to be monitored regularly and also updated in parallel with the continuously evolving legislation. Within the TIA you will assess what laws can be applicable to your data and what are the risks to individuals. You will also need to carefully evaluate how and where the data is stored and secured.
Are you aware of how your service providers responded to Schrems II? If not, we suggest searching for further information or getting in contact with them to learn how they are dealing with post-Schrems II remediations and about the measures they put in place.
If you have any questions about the guide or if you would like to suggest improvements to the document, please contact firstname.lastname@example.org
Please contact us also if your NREN is interested in translating the guide in your local language, so that we can make the document available via the GÉANT Clouds website.
Further general advice on the use of the 2020 IaaS+ Framework Agreement can be found in the 2020 IaaS+ Framework Agreement Cookbook compiled by the GÉANT cloud team. Read this CONNECT post to learn more: https://connect.geant.org/2021/03/24/2020-iaas-framework-agreement-cookbook-recipes-for-successful-cloud-adoption