Transparency in the processing of health data
Cloud Temple provides HDS-certified hosting and facilities management services specifically tailored to the challenges of the healthcare sector.
In application of requirement 31 of the ANS HDS V2 standard, this section details the procedures for the transfer of personal health data (PHCD) operated by Cloud Temple, both within and outside the European Economic Area.
Access mapping
| HDS-certified activities | SecNumCloud 3.2 qualification | HDS-certified activities | Description | Third country access EEA | Risk of forced access | Declaration of conformity |
|---|---|---|---|---|---|---|
| 2,3,4,6 | Yes | Yes | Hosting and outsourcing of back-ups | No | No | No risk of access imposed by the legislation of a third country in breach of EU law |
| 5 | No | Yes | Outsourcing carried out exclusively from France | No (France only) | No | No transfer of personal health data to a country outside the European Economic Area |
| 5 | No | Yes | Outsourcing carried out by mixed teams, including staff based in France and freelance engineers based in Tunisia. | Nature of the data : Personal data hosted on outsourced customers' information systems
Categories of data: All categories of personal data stored by customers in their information systems. Persons concerned: Customers, employees, suppliers or other contacts of managed services customers Storage location: France Purpose of the transfer: Managed services Legal basis for the transfer: Standard Contractual Clauses (SCC) Access to data : Technical administration rights to infrastructures. No operational access to health data, except for duly documented critical maintenance actions. Scope of intervention: Access limited to the storage and technical infrastructure hosting the data, without processing the content. |
Tunisian law places restrictions on government access to personal data.
Article 76 of Organic Law no. 2004-63 prohibits the transfer of data likely to undermine public security or Tunisia's vital interests. However, there are exceptions for reasons of national security, defence or international relations. The public body may refuse access to information in these cases. The Instance Nationale de Protection des Données à Caractère Personnel (INPDP) has the power to access personal data being processed in order to verify it. Residual risk: Potential access by the Tunisian authorities strictly limited to cases of national security or defence cited by law. |
Protection measures and appropriate guarantees
Contractual measures
Standard contractual clauses (SCC) :
- Use of CCTs adopted by the European Commission on 4 June 2021, based on the model recommended by the CNIL
- These clauses provide a legal framework for transfers of personal data outside the EU
- They incorporate the requirements of the RGPD and the recommendations following the Schrems II ruling.
Technical measures
- Strong encryption of data during transfer and processing
- Implementation of strict access controls and strong authentication
- Network segmentation and data partitioning
- Data access logging and monitoring
- Regular updating of security systems and applications
- Encrypted backup and regular restore tests
Organisational measures
- Background checks on staff
- ISO 27001 certification covering outsourcing activities
- Ongoing training for the provider's staff on data protection and information security
- Rapid notification procedure for access requests from the Tunisian authorities
- Implementation of a documented and regularly updated information security policy
- Procedures for managing security incidents and data breaches
- Regular assessments of information security risks
- Setting up a business continuity and disaster recovery plan
Data Protection Officer
Contact: dpd@cloud-temple.com