VUD: FAQ on the use of cloud technologies

The Asso­cia­ti­on enter­pri­se data pro­tec­tion (VUD) has, in view of the curr­ent­ly ongo­ing dis­cus­sions “FAQ on the use of cloud tech­no­lo­gies” published. The docu­ment is dated August 26, 2022, and is here on the web­site of the VUD retrievable.

The FAQ or the ans­wers are available after fol­lo­wing que­sti­ons structured:

  • Is the use of cloud solu­ti­ons from US pro­vi­ders per­mis­si­ble under Swiss data pro­tec­tion law?
  • Why is for­eign aut­ho­ri­ty access sud­den­ly a pro­blem – this risk has always existed?
  • What does this have to do with Switzerland?
  • Does the law requi­re the exclu­si­on of any theo­re­ti­cal risk?
  • When we use the cloud solu­ti­ons of the US hyper­s­ca­lers, can we have access from the USA if we choo­se to store the data in Europe?
  • The dis­cus­sion seems to be all about the US CLOUD Act and other pro­vi­si­ons of US law – why?
  • What spe­cial requi­re­ments app­ly to pro­fes­sio­nal and offi­ci­al sec­re­cy holders?
  • Do the con­tracts of the lar­ge cloud pro­vi­ders fit? Can they be nego­tia­ted at all?
  • Does the loca­ti­on of the data sto­rage and the loca­ti­on of the pro­vi­der matter?
  • What encryp­ti­on does Swiss law require?
  • How must a risk assess­ment con­cer­ning US law be car­ri­ed out?
  • What other risks should be con­side­red when moving to the cloud?

The FAQs are as fol­lows Take-Aways prefixed:

The risk-based approach is a prin­ci­ple of data pro­tec­tion law – sin­ce time imme­mo­ri­al and also after the revi­si­on of the Data Pro­tec­tion Act. It also applies to the dis­clo­sure of per­so­nal data abroad.

Accor­ding to the Data Pro­tec­tion Act, “ade­qua­te” and in the future “appro­pria­te” pro­tec­tion is suf­fi­ci­ent for the dis­clo­sure of per­so­nal data abroad, which cor­re­sponds to the risk-based approach. Exclu­si­on of every theo­re­ti­cal risk is not required.

The risk asso­cia­ted with cloud pro­jects must be exami­ned in each indi­vi­du­al case. It often emer­ges that even in the case of cloud ser­vices with the invol­vement of US pro­vi­ders, the risk of access by for­eign aut­ho­ri­ties is low and accep­ta­ble from a data pro­tec­tion per­spec­ti­ve, pro­vi­ded sui­ta­ble pro­tec­ti­ve mea­su­res are in place.

Dis­clai­mer: The aut­hor of this artic­le is Depu­ty Secre­ta­ry David Rosen­thal at VUD.




Rela­ted articles