There is no definitive answer to this. GDPR drafting simply did not envisage a brexit scenario, and if you assume there is a forbidden transfer this leads to a clear paradox.
The cloud supplier is a processor. Presumably there is a fully Art 28 compliant contract so processor MUST act on your instructions including disclosing your data back to you. On the other hand, as Jon says there seems to be no valid transfer mechanism. So the processor is in breach whatever he does.
Frankly I am not going to worry about this. We asked our processors to confirm that the arrangements would continue and they were all content to do so.
If I had to place a bet I would say regulators would clearly uphold the contract as being a valid mechanism in some way - perhaps by saying that accessing your own data, held by a processor is not a 'transfer'. From a purposive point of view what other conclusion could there be?
The alternative is absurd. The processors have your data, they can't return it, but they have no valid basis to hold it ... that does NOT protect the rights of the subjects.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|