The Association of Spanish Cloud and Datacenter Providers (Apecdata) warns of the legal, technical and security implications of choosing a cloud provider. It does so at a time when cloud computing is booming and giants such as Amazon, Google, IBM or Microsoft are opening or finalizing their regions cloud in Spain. The organization is supported by a report by Ecija Abogados, which endorses the importance of working in a reliable data perimeter when taking business applications, or data, to the cloud.
The work warns that, as established by the General Data Protection Regulation (RGPD), any transfer of personal data outside the European Economic Area to a third country must be carried out with guarantees. And it highlights that any treatment carried out by a supplier located in Europe that has certain links with a US entity, will imply a risk from the perspective of compliance with data protection.
From a legal point of view, they say, the situation could arise in which personal data of Europeans hosted on servers of US entities based in Europe were processed by US authorities in accordance with its regulations and involve an international transfer not in accordance with European regulations.
Apecdata, which was presented in public last February, Remember that data may only be transmitted to those countries, territories, sectors or international organizations with respect to which the European Commission has considered that they have an adequate level of protection or, in another case, sufficient guarantees are provided or the foreseen circumstances occur. as exceptions.
The report indicates that carrying out international transfers of personal data that do not adopt the necessary guarantees could give rise to administrative fines of up to 20 million euros or up to 4% of the total global annual turnover. For this reason, the association recommends that for the contracting of services, issues such as the location of the provider and where the data will be effectively processed, the security measures applied and the contractual guarantees that the provider could offer be taken into account as a priority. of cloud.
“The consequences for users of the use of this type of platform can mean a loss of control over their personal data, while for entities it is to assume unnecessary risks since the uses of said systems could lead to breaches of data protection regulations. personal,” they point out.
According to the report, the international transfer of data may take place as long as they offer “adequate guarantees”, such as the provision of legally binding and enforceable instruments between authorities, binding corporate regulations and standard clauses on the protection of personal data that are adopted by the Commission. Likewise, it must be required that both the importer and the exporter of the data adhere to a code of conduct approved by a national data protection authority, together with binding and enforceable commitments of the importer and exporter, including those of the rights of the interested parties.
Apecdata underlines the importance that both the importer and the exporter of data are adhered to official certification mechanisms, either by contractual means or through a legally binding instrument to apply the guarantees.
The entity is a firm defender of the creation of a European data space in the face of the advance of the American technological giants and of the implementation of a regulatory framework that protects personal rights and privacy above economic interests when it comes to entrust the data to a third party.