cloud-migration-dpia
Assessing Cloud Migration Privacy
Overview
Migrating personal data to cloud infrastructure (IaaS, PaaS, SaaS) introduces fundamental changes to the data protection landscape: the controller cedes physical control over personal data to a cloud service provider (CSP) acting as processor, creating dependencies on the CSP's security measures, geographic infrastructure, and sub-processor chain. This skill provides a DPIA methodology covering the Art. 28 controller-processor relationship, international transfer assessment under Chapter V, encryption and key management requirements, the shared responsibility model, and sub-processor governance.
Legal Framework
GDPR Art. 28 — Processor Obligations
Art. 28(1) requires the controller to use only processors providing sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets GDPR requirements.
Art. 28(3) mandates a binding contract or legal act setting out:
- Subject matter and duration of processing
- Nature and purpose of processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- Specific processor obligations including: processing only on documented instructions, confidentiality, security measures, sub-processor approval, data subject rights assistance, deletion/return on termination, audits and inspections