ARTICLE
27 March 2026

Operational Sovereignty In Personal Data Processing In Cloud Environments

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
On February 23 2026, the Spanish supervisory authority (AEPD) published an article containing recommendations on operational sovereignty when processing personal data. This follows a major incident on October 20 2025, where a cloud provider experienced technical issues in the United States which affected services globally.
Spain Privacy
Laur Badin and Isabel Iglesias
Your Author LinkedIn Connections
Laur Badin’s articles from A&O Shearman are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in United States
  • with readers working within the Healthcare and Law Firm industries
On February 23 2026, the Spanish supervisory authority (AEPD) published an article containing recommendations on operational sovereignty when processing personal data. This follows a major incident on October 20 2025, where a cloud provider experienced technical issues in the United States which affected services globally.

The AEPD highlighted that even when organisations store data in the EU, data storage may still depend on centralised services (such as identity management, DNS or encryption key management) located outside of the EEA. An issue with these services may compromise the ability to process data in the EU, including system availability and resilience, potentially resulting in a breach of Article 32 GDPR (security of processing) and impacting the rights and freedoms of data subjects.

To mitigate this risk, the AEPD suggests that controllers using cloud services: 

  • review their data protection impact assessments (DPIAs) to ensure they consider the risk and impact of cross-border dependencies on the availability of their services; 
  • ask their third party service providers to provide information on the location of their own resources; 
  • design systems that are capable of keeping critical functions operating during any failure with the centralised services required to operate them; and
  • consider whether to use multi-cloud or hybrid services to avoid single points of failure.

The AEPD notes that these measures align with the GDPR’s accountability principle, which requires controllers to identify, assess and mitigate risks associated with critical technological dependencies.

The article is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Laur Badin
Laur Badin
Photo of Isabel Iglesias
Isabel Iglesias
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More