The simple answer to that question is yes! But, it depends on the cloud service you choose. There are some things to consider before you put personal data in a cloud service, above all, it is important to ensure that the processing is done in accordance with the GDPR and that the data subject has given their permission for you to process the personal data.
What does the GDPR say?
Under the GDPR, data containing personal information must be stored on servers located in the EU. This is something that many foreign operators have solved by locating servers in Europe. It is easy to be lulled into a false sense of security. The US CLOUD ACT allows US authorities to request data stored in US cloud services, regardless of where the storage itself is located. A US cloud service is always subject to US law.
Not ok with personal data in US cloud services
From a GDPR perspective, this means that it is not acceptable to handle sensitive data such as personal data in a US cloud service as privacy cannot be guaranteed due to laws such as the CLOUD ACT.
Breaching the GDPR can be costly. In 2020, the Swedish Authority for Privacy Protection (IMY ) decided on penalties of SEK 150 million, mainly for businesses that did not comply with the GDPR.
