Login Contact Members Join Proiect Romania
AmCham Romania
Members only
Home |Privacy policy
AmCham Romania News #AmCham #DataProtectionMonth Expert Views #3: HR processes and GDPR compliance in the CLOUD

#AmCham #DataProtectionMonth Expert Views #3: HR processes and GDPR compliance in the CLOUD

by Wolf Theiss Rechtsanwalte GmbH & Co KG May 17, 2022

Article by: Adrian Manolache, IP, Data Protection & Cybersecurity Lawyer, Wolf Theiss Rechtsanwalte GmbH & Co KG

The cloud is here and that is a good thing for Human Resources ("HR") professionals. Modern HR is experiencing disruption, forcing companies to reprioritize their human capital management strategies. HR systems have become antiquated, noncompliant, and ineffective in change management, discouraging HR departments from taking strategic decisions in what they do best: people management. On the other side, the cloud enables HR to be prescriptive and methodical in responding to what workforce needs without limitations from time, data, technology or resources.

The cloud is a technology present around us for over a decade now. If you are using the cloud, it simply means your programs and data are on a cloud provider's server, not your own. The HR advantages of the cloud can be observed in relation with providing companies with easy access to innovation, adding more agility and flexibility in HR processes, automating repetitive and data-heavy tasks and facilitating training, learning and development. Tasks such as payroll management, recruitment, applicant tracking, talent management can be performed with much ease in the cloud.

Taking into consideration that employees generate a large amount of personal data that HR must collect, manage and store, the Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") directly affects the performance of tasks of the HR department. HR departments must be compliant with the GDPR, but there are specific attention points which must be taken into consideration when companies want to migrate specific HR data to a cloud provider.

Generally, the cloud provider can deliver a solution by ensuring an HR software application that is specifically intended to process personal data ("Software as a Service" or "SaaS"), it can deliver a complete development and deployment environment in the cloud ("Platform as a Service" or "PaaS") or it can deliver virtualized hardware or computing infrastructure for HR departments which want to have the flexibility to choose what applications will deploy on the infrastructure ("Infrastructure as a Service" or "IaaS").

When deciding to use any cloud service, companies are encouraged to complete their own assessment of their specific processing activities and their compliance based on applicable laws. Generally, the cloud solutions delivered are based on the service models SaaS and IaaS. In this context, companies should assess whether a cloud service provider can be trusted by analyzing if the provided services are compliant to the good practices elaborated for (i) SaaS cloud service providers and (ii) IaaS cloud service providers.

  1. GDPR compliance regarding the SaaS cloud

The GDPR is especially important in the SaaS industry because software services are delivered through the internet and many SaaS business oversee large amounts of data. In order to come to the aid of cloud service providers and customers wishing to migrate to the Cloud, The EU Data Protection Code of Conduct for Cloud Service Providers[1] ("EU Cloud Code of Conduct") has been elaborated. The EU Cloud Code of Conduct is applicable to all cloud service provision models SaaS, PaaS and IaaS, but, taking into consideration that a specific IaaS cloud code of conduct has been elaborated, the requirements for SaaS cloud are worth analyzing from the EU Cloud Code of Conduct.

First, when contracting a SaaS cloud provider, it is useful to clarify who will be the data controller and the data processor. SaaS cloud providers can be both controllers and processors. They are controllers when they decide the purposes and the means of the processing (e.g. website, user databases, newsletters, marketing, payment data) and processors when they act under the instructions of their customers (e.g. in business to business activities when they process the personal data of their clients' customers/employees). The company (through the HR department) contracting a cloud service is usually a controller because it decides what to do with the data.

Second, when contracting a SaaS cloud provider, it is useful to know if the policies, practices and the way it handles data are compliant with the GDPR. The SaaS GDPR compliance checklist should imply:

  • Data Processing Agreements ("DPA")

The SaaS cloud provider should sign a DPA with the controller they process data for. The DPA is a legally binding agreement clarifying the responsibilities of the parties containing the safeguards put in place for the processing of the data. The DPA is very important in order to ensure the compliance with the GDPR.

  • Third-party vendor compliance

Not only the SaaS cloud provider must be compliant with the GDPR, but its' third-party vendors/processors too. If the third-party vendors/processors are not GDPR compliant, the SaaS cloud provider should take the necessary measures in order to mitigate the risk arising thereof. 

  • Security

Keeping personal data secure is business-wise nowadays. All necessary measures should be taken in order to prevent cyber-attacks and data breaches because it can lead to big fines under the GDPR. Trusted SaaS cloud providers should take all necessary security measures and should take into consideration the requirements of ISO/IEC 27001. 

The EU Cloud Code of Conduct offers a system based on levels of compliance. Companies specific to each level must comply with all provisions of the EU Cloud Code of Conduct. The different levels are based on the evidence of compliance submitted to SCOPE Europe (a non-profit association established in Belgium). The levels include: first level of compliance (internal review of policies to comply with the requirements), second level of compliance (including partially supported third-party certificates and audits with specific relevance) and third level of compliance (fully supported third-party certificates and audits with specific relevance).

The EU Cloud Code of Conduct is validated by the European Data Protection Board[2] ("EDPB") and is addressing obligations for all cloud offerings under Article 40 of the GDPR.

In order to adhere to the code, a cloud service provider must be a member of the general assembly of SCOPE Europe, sign a declaration of adherence and pay a one-time fee.

  1. GDPR compliance regarding the IaaS cloud

Regarding the compliance of IaaS cloud providers, the Data Protection Code of Conduct for Cloud Infrastructure Service Providers[3] (the "IaaS Cloud Code of Conduct") is relevant. The IaaS Cloud Code of Conduct provides security measures for ensuring data protection, methodology and practical solutions to problems identified by cloud providers and it gives an operational dimension to data protection principles. In this case, the IaaS GDPR compliance checklist should imply:

  • Implementation of specific procedures for the cloud provider

The information security policies and procedures should cover, at a minimum: (a) the scope and boundaries of the information security program, including business, organization, location, assets and technology; (b) usage policies defining appropriate usage for critical technologies (mobile devices; wireless technologies, e-mail and internet usage); and (c) roles and responsibilities to manage and implement information security policies.

Also, the cloud provider personnel and the customer personnel (the HR department) should acknowledge that they have read and understood the cloud providers' information security policies and procedures.

  • Limiting the cloud providers' personnel access

It is important to limit the access to personal data to personnel which is only able to access information related to the structural elements of the cloud infrastructure, its' configuration and the configuration of logical environments assigned to customers.

  • Security

The Cloud providers which will take into consideration the provisions of the IaaS Cloud Code of Conduct are encouraged to take into considerations the requirements of ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018.

The IaaS Cloud Code of Conduct is validated by the EDPB[4] and it is the first and only code developed for IaaS cloud service providers. It concretely helps the IaaS cloud providers and their customers to create safe data environments. By declaring that a service adheres to the IaaS Cloud Code of Conduct, cloud providers ensure customers that data processing undertaken by the service is fully GDPR compliant, in turn, this builds confidence among their users.

A IaaS cloud provider that declares adherence with the IaaS Cloud Code of Conduct will comply with all the requirements for any service covered by its declaration and may use the compliance marks. The declaration of adherence must be completed and submitted in accordance with the guidelines for adherence to the IaaS Cloud Code of Conduct.


[2] Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe.

[4] Opinion 17/2021 on the draft decision of the French Supervisory Authority regarding the European code of conduct submitted by the Cloud Infrastructure Service Providers (CISPE).

More from AmCham Romania News

Previous Next