privatim, the conference of Swiss data protection commissioners, has published a Fact sheet on “Cloud-specific risks and measures” published. The fact sheet is aimed at public bodies and discusses particular heightened, data protection risks when using cloud services and the responsibility of the public body when using such services.
The conclusion is as follows:
Public bodies may also use third-party cloud services for their data processing – if their outsourcing is permitted under the general rules for commissioned data processing (see the guides in Appendix 2). For this purpose, in a comprehensive Risk analysis take into account the specific risks associated with the use of cloud services. This risk analysis must show the cloud-specific risks differentiated for the individual data processing operations as well as the corresponding measures with which the cloud-specific risks can be excluded or reduced to an acceptable level. The assessment should show whether the use of cloud services for the data processing is permissible in full, in part or not at all.
The public bodies that use cloud services for the performance of their duties continue to bear full responsibility for the processing of the data. The public body (or its management) is required to confirm in writing that it understands the risks and accepts the residual risk. The assumption of residual risks may also have an impact on accounting, which should be verified by the financial controls. Executives are advised to regularly record the (residual) risks assumed, as they are ultimately responsible to parliament and the people for protecting the fundamental rights of citizens and for the financial conduct of the administration.
The public body, for its part, must have a Data protection impact assessment carry out. The risk analysis and action plan must be submitted to the responsible data protection supervisory authorities for review (prior checking or prior consultation). They also advise the public bodies on legal, organizational and technical issues.
In an appendix to the fact sheet, privatim provides “examples of possible overall assessments of cloud risks in terms of applicable law/jurisdiction, location of cloud infrastructure and secrecy/key management”, each of which assesses the cloud-specific risks (low/increased/very high), accompanied by a recommendation.
Edit 7.2.19: The fact sheet primarily requires a lege artis risk assessment and does not generally permit or prohibit outsourcing.