Is "the cloud" in EU and is it GDPS compliant?


You have probably heard that the Cloud is the newest, coolest and safest alternative for storing your data. What about the safety of it? Where exactly does your data go when you send it to the Cloud and are the servers that it is stored in compliant with the European data protection regulations?

These are certainly important questions to ask. From an EU legislation point of view, it doesn't actually matter if your data is physically stored on servers within the EU or outside it as long as the equivalent level of security is ensured. Even though most Google and Amazon servers are physically situated in the United States, both companies have agreed to use all necessary measures to ensure that their platforms are compliant with the GDPR regulations for every client within the EU. And this even applies to data shared between EU and non-EU companies.  But sometimes your company's internal regulations may require to have the data stored in data-centres that are physically located in the EU. Google and Amazon are ready for this situation. They have servers in the EU as well and you can choose where your cloud data will be stored. 

You can also be absolutely sure that our partners GCP and AWS are secure and ready for all regulations. They employ the best security experts and apply the highest quality security measures to ensure your data is safe. Google and Amazon have all obligatory ISMS and ISO certifications such as ISO 27001 (Information Security Management), ISO 27017 (Cloud Security), ISO 27018 (Cloud Privacy) and SSAE16 / ISAE 3402 (SOC 2/3). G Suite and Google Cloud Platform undergo several independent third-party audits on a regular basis to provide extra assurance.

What about international data transfers? 

There are a lot of myths surrounding international data transfers. Some might claim that EU personal data cannot leave the EU, but this couldn't be further from the truth. There is absolutely no restrictions to data transfers when it comes to location. The EU has stood for free movement since its beginnings – capital, people and goods. There are not many countries that outright prohibit cross-border transfer of personal data of their citizens.  

But where does GDPR now stand on the subject of international data transfers? Chapter 5 of GDPR is entitled “Transfers of personal data to third countries or international organisations” and it basically says that if you transfer personal data from the EU outside of the EU, the platform you are transferring them to regardless of its location has to have the equivalent level of protection (as GDPR). So the company you pass the data to outside the EU must fulfil its legally binding obligation to follow GDPR data protection principles or ensure measures of protection equivalent to GDPR. In practice, that means that any entity outside EU that you pass on your data to should be located in a country that has data protection laws as strong as GDPR or agrees by contract to follow GDPR principles.  In the United States the Data Protection Directive takes care of data protection. So, GDPR is not creating some sort of sudden changes here.  But for companies who trade with the EU there is a program called Privacy Shield Framework (previously Safe Harbour) - which allows US-based companies to self-certify to a set of principles and submit to certain enforcement mechanisms. By participating, these companies are considered “safe” for transfers of EU personal data. Both Google Cloud Platform and Amazon Web Services are  committed to Privacy Shield Framework program, which makes them GDPR compliant. Besides all that, if there are still any impediments prohibiting you from transferring your data to a particular country, you can still opt for storing your data on European servers. 

Don’t know exactly what the word “transfer” means in this context? It relates to moving the source data to a machine outside the EU or data being viewed by an employee outside the EU. At that point, the data is considered to have moved and it counts as a transfer. But if you use GCP or AWS Cloud platform, you don't have to worry about any of this as they have agreed to apply GDPR data protections principles to EU personal data wherever it travels and to use an approved transfer safeguard. 

To sum up, GDPR doesn't really set onerous restrictions on transferring your data. All you need to do to make sure that it is safe is to check if the company that stores your data has a EU-US Privacy Shield Framework certification. Most companies have added that certificate to their Standard Contractual Clauses and as such have become GDPR compliant.

You can learn more about Amazon and Google compliance here:

If you have any questions regarding Google Cloud Platform or Amazon Web Services security measures specific to your region you can always look up their certified partner in your country who will be happy to be of assistance.