On 17 January 2023, the European Data Protection Board (EDPB) adopted the report "2022 Coordinated Enforcement Action Use of cloud-based services by the public sector", which summarises the findings of an EU-wide Enforcement Action and sets out a list of factors which public bodies should take into account when contracting Cloud Service Providers (CSPs). For example, the EDPB reiterates the obligation for CSPs to fully comply with the GDPR in order to be utilized in the public sector, including during the procurement phase. Special attention should be paid to cross-border data transfers and to the possibility that third country legislation applies, for instance leading to the possibility of access requests from third country authorities to data stored in the EU. Public entities are encouraged to take a series of further steps when contracting CSPs, such as performing a pre-contractual Data Protection Impact Assessment (DPIA), clearly defining the roles for all parties, cooperating with other public bodies when negotiating contracts, and reviewing processing procedures with respect to said DPIA.
Original source