Azure Data Residency and Azure storage queues

RKG 1 Reputation point
2022-02-11T11:04:01.233+00:00

All Our Current Azure Workloads and SQL Databases are Located in the West-Europe region
We want to create new Databases in US East, US West regions and want to use existing Azure Workloads, Just checking is violates the GDPR Compliance?
Also can we store East-US data in West-Europe based Azure storage queues for processing. will the azure storage queue be considered as persistent storage. if yes, can we switch to Azure service bus queues instead.
Please let me know your suggestion or thoughts for the same?

Azure SQL Database
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,650 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Alberto Morillo 32,791 Reputation points MVP
    2022-02-15T13:48:41.37+00:00

    The GDPR applies to any organization that processes or controls data of an EU resident regardless of where the organization is located or where the data is handled or processed. An organization outside the US needs to be GDPR compliant in order to collect and process data of EU residents. So having infrastructure processing data outside of EU does not violate GDPR per se.

    In case of a personal data breach, controllers must report the breach to the supervisory authority within 72 hours, it does not matter where the controller is located.

    If your organization create policies to protect data from the beginning of when data is processed and also take appropriate technical measures to ensure the protection of data throughout its lifecycle, then everything should fine. The goal should be privacy by design and default. Data protection should be a fundamental process of organizations worldwide.

    Based on GDPR, organizations may have a Data Protection Officer (DPO), which are law experts such as lawyers or auditors, and they should act as a single point of contact for all data processing notifications. Please refer to the DPO on your organization, if it has one, to better answer your question. Do not take any risk and contact your DPO, if your organization fails to comply to GDPR, it could see fines upwards of 20 million euros or 4% of its annual global turnover (whichever is greater)

    About US citizens data, if you are processing data of California residents your organization better try to comply with California Consumer Privacy Act (CCPA), I don't know of any other state with privacy laws that extend outside USA.


  2. Sumarigo-MSFT 43,321 Reputation points Microsoft Employee
    2022-02-16T10:23:23.207+00:00

    @RKG Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
    Adding more information to the above response! This article provides detailed information on Microsoft General Data Protection Regulation : https://learn.microsoft.com/en-in/compliance/regulatory/gdpr?view=o365-worldwide#data-subject-request-dsr (In the navigation pane on the left, browse through the article list or use the search box to find issues and solutions.)

    Data residency in Azure

    European privacy law, the General Data Protection Regulation

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 174951-screenshot-2021-12-10-121802.png and 174932-image.png wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments