Dear Martin, As part of our cloud first strategy, we have put in place policies mandating that if we decide to migrate to cloud a service that contains personal data, this data will be stored and processed in data storage locations within the EEA. When personal data is not processed outside the EEA, there is no transfer of personal data occurring.
In the event that for example access to our data is required from outside the EEA (e.g. we request technical support from the cloud provider and this gets provided by technical staff outside the EEA), one of the offered under GDPR transfer mechanisms such as transfers based on an adequacy decision issued by the European Commission, Standard Contractual Clauses etc would serve as the legal basis for this transfer to take place. The most common transfer mechanism that we see being used by our service providers are the Standard Contractual Clauses and valid adequacy decisions. With regards to international transfers of personal data based on the Standard Contractual Clauses, we perform an assessment to understand what additional measures are required to be put in place on a case-to-case basis. Examples include technical (e.g. limiting access to the data that is strictly necessary for the particular case) and contractual measures (e.g. verifying the provider's transparency with regards to received orders to disclose their customer's data and how they respond to those requests). Regarding your last question, we would like to reassure you that before we migrate a service to the cloud various internal stakeholders including technical, security, legal, communications and other colleagues are consulted to advise on the matter. These analysis are meant for internal purposes. Kind regards, Maria Stafyla Senior Legal Counsel RIPE NCC
