When choosing a provider, emphasis should be placed on certifications in the area of information security, ISO 27001. Ideally, however, the provider should also be able to demonstrate conformity to ISO 27017 and ISO 27018. ISO 27017 is a standard specifically designed to secure cloud services. The standard belongs to the ISO 27001 family of standards. This additional standard gives rise to specific features of cloud security for each area of the higher-level IOS 27001. ISO 27018 is also based on the higher-level ISO 27001 standard, but regulates in detail the requirements for processing personal data in cloud computing.
If the provider can provide as much evidence as possible of compliance with international standards, the person concerned can assume that they have selected a secure provider that complies with data protection regulations.
The selection of the provider causes major problems insofar as the transmission of data to the USA can no longer be based on the EU-US Privacy Shield under data protection law after the Schrems II ruling of the ECJ. It is essential to pay attention to the location of the cloud provider’s servers. Data may only be processed within the EEA or in third countries for which the EU Commission has issued an adequacy decision in accordance with Art. 45 GDPR.
Since politicians are also aware of this, there are increasing numbers of initiatives that advocate clouds within the EEA and look for solutions in cooperation with companies. According to the data protection strategy of February 2020, it is also the goal of the EU Commission to create higher European cloud capacities.