We are a company based in Europe.
We have personal data about our users worldwide (name, mail, phone number, company, title). And currently it is stored in Microsoft Azure. We don't know physically where they are.
We would like to know if storing in Microsoft Azure complies with GDPR? Is there any other better choice?
According to azure.microsoft.com:
All Azure services can be used in compliance with the GDPR. If customers using Azure services choose to transfer content containing personal data across borders, they will need to consider the legal requirements that apply to such transfers. Microsoft provides customers with services and resources to help them comply with GDPR requirements that may apply to their operations.
And from harperjames.co.uk
GDPR specifies that data must be stored within the EU or in a jurisdiction where a country outside the EU offers an adequate level of data protection. Currently, the European Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. It has further adopted two adequacy decisions for transfers of personal data to the UK.
You can check which country your data is stored in on the Microsoft Azure dashboard to make sure.
You can always use cloud services if the data is guaranteed to remain in the EU. This is the case for many Azure services. You can also process data in non-EU locations, if this data transfer is adequately protected.
Since you're EU-based, GDPR applies to all of your data processing activities, regardless of where users are located. You can process your data anywhere within Europe, without additional restrictions.
If you want to process your data outside of Europe, you're performing an international transfer. Whether such transfers are legal depends on a lot of factors like the laws in the target country, the data importer in that country, and on any additional safeguards such as encryption.
Some countries are recognized by the EU as offering an adequate level of data protection through their laws. Aside from adding one or two extra lines in your privacy notices, you can freely process your data in such countries.
When processing data in other countries that do not offer adequate protections, you may be able to ensure sufficient safeguards via a contract with the data importer. For this purpose, the EU has published Standard Contractual Clauses (SCCs). However, it remains your responsibility to ensure that these SCCs are actually sufficient and enforceable in your specific context, and that you implement supplemental protection measures as necessary.
There are additional available tools that are useful for multinationals but otherwise equivalent to SCCs.
There are a bunch of exceptions in Art 49 GDPR if no other basis for the transfer is available, such as the data subject's explicit consent to the high-risk transfer.
In this context, it is necessary to distinguish between where a company is located and where the data is being processed.
Use of US-based cloud services is generally impossible. In the Schrems II case, the CJEU struck down the “Privacy Shield” adequacy decision for the US. The court was concerned about US spy laws that go beyond what is necessary and proportionate for a democratic society.
If an US-based company is subject to those spy laws, then it cannot enter a contract that promises GDPR-like protections for the data (contracts cannot override legal requirements). Thus, SCCs alone are probably insufficient for EU→US data transfers. Nevertheless, many data controllers continued such transfers, for example with additional safety measures, or based on the legal theory that transfer impact assessments are sufficient, or by betting that actual enforcement is unlikely.
This doesn't apply to EU-based services provided by US-based companies. While there are some concerns about the extraterritorial reach of US laws like the Cloud Act, I'm not aware of any court judgement that ruled the use of such services to be illegal. But I do think that such laws should factor into a risk assessment when selecting data processors.
Some Azure services are hosted in the EU or in countries with an adequacy decision, so that they can be used as far as the GDPR is concerned. Of course, Azure would act as a data processor, so that you would need an Art 28 data processing agreement that covers these services. You will also have to consider your general responsibility to implement appropriate technical and organizational measures to ensure compliance and security of the data processing, for example encryption.
You may also be able to use cloud services that are hosted in other countries, based on SCCs.
If at all possible, avoid the headache of having to argue that the Schrems II concerns don't apply in your case, and avoid the use of services that would transfer personal data into the US.
Cloud providers generally offer very explicit control over the “regions” or “zones” where the data will be processed. Be careful when you can't explicitly select a zone.
