Number: 12

Date: 22/03/2018

Title:

User guide for European Organizations and Organs ("Guide") concerning Cloud Services published by the European Data Protection Auditor ("Auditor").


Through the Guide published by the Auditor on 16 March 2018, suggestions have been brought forward with the purpose of ensuring compliance to the Regulation no.45/2001, concerning the usage of cloud services by the organizations considered within European Union and their organs.

The Guide which was prepared with the purpose of bringing directive suggestions for the management of data protection and privacy where the processing of personal data through cloud services is the case and proposes arrangements concerning how to consider the data protection requirements in the definition and selection of the cloud computing procurement processes and the related administrative and technical protection.

According to the guideline, European organizations are advised to carry out impact analyzes to understand the impact of the planned cloud services on the data they operate. If it seems to be possible to reduce the risk to an acceptable level by taking various measures to mitigate the risk as a result of the pessimistic analysis, the organization will be able to use them as inputs for procurement contracts, taking into account the emerging requirements. If the outcome of the evaluation is negative, the organization may turn to cloud services with less risk and may abandon use of the cloud service.

The guidelines that can be taken as criteria for identifying and evaluating the risks of the overall cloud service are provided in the attachment of guidance.

Particular emphasis is placed on contracts to provide cloud computing services within the guidelines.

The guideline also includes the implementation of the cloud service and the arrangements that can be used to elaborate IT security requirements under the service contract. It is also suggested that the contracts be terminated at the same time, and that the data be delivered securely to the service provider or to another service provider.


Our explanations provided above include general information on the issue. No responsibility can be claimed against EY and/or Kuzey YMM ve Bağımsız Denetim A.Ş. due to the implications arising from the context of this document or emerging with respect to its context.
 Print

Go to Top