To simplify the selection of the right tool in light of GDPR requirements – and to help you evaluate tools you are already using – we’ve summarized the key points in a concise checklist. We also explain why each aspect matters. Before using a cloud tool, you should ask the following questions:
- What access and permission controls does the tool offer?
Access and permission settings determine who can view and manage specific data. This is essential to ensure that sensitive information does not fall into the wrong hands and that the rights of data subjects are protected.
- Where is the cloud provider headquartered?
Under the GDPR, storing data with companies based in Germany or the European Economic Area (EEA) is generally unproblematic. Data processing outside Europe must be assessed in two steps: whether the processing itself is legally permissible (e. g., based on legal provisions or user consent), and whether transferring data to the recipient country is allowed. For so-called "adequate third countries", a level of data protection comparable to EU standards is assumed (e. g., Switzerland, Canada). For "non-adequate" countries, such as Russia, India, or China, organizations transferring data must independently assess the level of data protection. If the provider is based in the U.S., you must check whether the recipient complies with applicable data transfer frameworks.
- Where is the data stored?
Even if a provider is headquartered in the EU or a safe third country, data may still be stored elsewhere (e. g., in the U.S.). This can conflict with GDPR requirements for the reasons mentioned above.
- Have the necessary data processing agreements been concluded?
Depending on the company’s location, data storage location, and the type of data processed, specific agreements may be required to ensure compliance. Examples include Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs), or Binding Corporate Rules (BCRs).
If the following criteria are met, the most important GDPR requirements are typically fulfilled:
These points represent the key factors to consider when selecting cloud software. As you can see, using cloud tools can quickly involve significant administrative effort—especially if the provider is based outside the EU.
We will soon provide a more comprehensive checklist covering best practices and key considerations for using cloud tools. If you’d like to be notified when the full checklist is available, simply subscribe to our newsletter—we’ll keep you updated.
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.