A data controller must remain in control of the personal data it collects when it subcontracts the processing to a cloud provider. A key element of control is to ensure the security of the data. Controllers (both clients and cloud service providers) also need to be transparent about the processing of personal data. Important for both control and security is the location of the data. A related issue is also the requirement for a written contract.
EU Commission’s Microsoft 365 Usage Breaches GDPR
EU Commission violates GDPR with Microsoft 365 usage, faces corrective measures by EDPS.