On April 19, 2024, the European Data Protection Board (EDPB) published Opinion 7/2024 on the draft decision of the German North Rhine Westphalia Supervisory Authority regarding the EU Cloud Service Data Protection (Auditor) certification criteria.

Background

The EDPB outlined that a German legal entity, EU Cloud Service Data Protection, submitted Auditor certification criteria to the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information (LDI NRW) pursuant to Article 42(5) of the General Data Protection Regulation (GDPR). On February 12, 2024, the LDI NRW submitted its draft decision approving the certification criteria to the EDPB pursuant to Article 64(1)(c) of the GDPR.

EDPB recommendations

Regarding general remarks and terminology used, the EDPB recommends that the LDI NRW ensure overall clarity and that:

• when GDPR terms are used, they are in line with the GDPR; and
• EU law concepts are referred to, when they exist to ensure consistency with European law, and for other terms and concepts, to clearly define them, taking into account, where necessary, other areas of law.

Regarding the scope of the certification mechanism and target of evaluation (TOE), the EDPB recommends to:

• further specify the scope of the scheme to:
  • specified, explicit, and legitimate categories of data processing operations where the cloud provider acts as a controller; and
  • examples of processing operations that can and cannot be certified under the scheme;
• clarify in the criteria the situations in which the household/personal exemption would not apply to the cloud user who is a natural person, as well as the required adaptions vis-à-vis the cloud user in such situations; and
• further, elaborate the criteria to include the conditions for the non-applicability under the GDPR.

Regarding the 'lawfulness of the processing,' the EDPB recommends to:

• add further requirements to determine when a processing activity is necessary for both:
  • purposes of the cloud provider's legitimate interest; and
  • fulfillment of the contract with the cloud user or necessary for only one of these two purposes;
• clarify which processing operations are covered in the pre and post-contractual stage, for which the cloud provider is responsible as a controller and amend any explanatory text accordingly; and
• clarify that such criteria do not cover processing operations covered by the processing agreement with the cloud user.

Regarding the 'general obligations for controllers and processors,' the EDPB recommends including the obligation of the processor, when engaging a sub-processor to ensure that the same obligations, as set out in the contract or other legal act between the controller and the processor are imposed on the sub-processor, pursuant to Article 28(4) GDPR.

Regarding 'technical and organizational measures guaranteeing protection,' the EDPB recommends to:

• include the controller's obligation to notify the supervisory authority within 72 hours;
• explain how the encryption keys may be considered to be securely stored;
• add that anonymization cannot be revoked by referring to TOMs being put in place to ensure that anonymization cannot be reversed; and
• include that the cloud providers shall enable the cloud user to store data encrypted by the latter.

On the 'criteria for the purpose of demonstrating the existence of appropriate safeguards for the transfer of personal data,' the EDPB recommends to:

• include a reference to the need for the processor to act 'in accordance with the instruction of the controller;'
• mention that the processor shall inform the controller of any disclosure of personal data about this legal requirement unless that law prohibits such information on important grounds of public interest recognized in EU or German law;
• clarify that whenever a 'transfer' as referred to under Article 44 of the GDPR takes place, the obligations stipulated in Chapter V GDPR must be fully respected; and
• clarify that the certification itself is not a transfer tool pursuant to Article 46(2)(f) of the GDPR.

You can read the opinion here.