Public bodies manage particularly sensitive data and are obliged to protect it accordingly. The new privatim resolution once again raises the very specific question: How are cloud offerings compatible with the effective protection of sensitive data?

The Conference of Swiss Data Protection Commissioner (Privatim) states in its recently published resolution, «that the use of SaaS solutions from international providers for public bodies is only permitted if the personal data that is particularly sensitive or subject to a statutory duty of confidentiality is encrypted by the relevant body itself. The cloud provider must not have access to the key.» [1]

As specialists in information protection, we have long shared this view and see it as an important orientation for public administrations.

The special responsibility of the public sector

In the private sector, information is usually classified according to confidentiality levels - from «internal» to «confidential» or «secret». The classification «confidential» and higher is typically considered particularly worthy of protection, which usually includes customer data, personnel data, information on research and development, financial figures or M&A initiatives, etc.

Private companies can - within the legal framework - consciously decide what risk they want to take or whether or not they want to give up confidentiality. Of course, this does not apply to highly regulated sectors with a particular focus on data protection.

The situation is different for public authorities: They manage data that affects citizens and entire institutions. An individual risk assessment is not enough here. Public administration must be guided by clear guidelines - this is exactly what data protection officers and their committees are there for.

The privatim resolution now makes it unmistakably clear that the protection of particularly sensitive data must have top priority when using cloud services.

Principles for secure cloud use

Two central principles can be derived from the perspective of information protection:

• Principle 1: Without effective encryption, there is no real protection of data.
• Principle 2: The provider must not have access to the unencrypted data. (see also privatim resolution)

From principle to practice

A structured process is needed for these principles to take effect in everyday life:

1. classify information

First of all, it must be clarified what type of data is being worked with. Experience has shown that purely manual classification by end users leads to many errors. Automatic classification, on the other hand, reaches its limits as soon as information is combined: A very confidential overall picture can suddenly emerge from several inconspicuous components. This is where supplementary solutions such as data loss prevention or data governance approaches provide support. [2]

2. assess storage and processing location

When transferring or storing data, it is necessary to check where the data flows to and how the destination is characterized:

1. If the data is NOT confidential or particularly worthy of protection, processing or storage in international SaaS services may be permissible.
2. If the data is particularly sensitive or confidential, additional protective measures are required - or the transfer or storage must be prevented.

The necessary protective measures are derived from this.

3. implement suitable safety measures

Different approaches are indicated depending on the scenario:

1. Redirection of storage to a permitted target system, for example to your own infrastructure (on-premises) or to a local cloud provider.
2. Encryption of the data before transfer. This can be done in two ways:
   • For files, a digital rights management solution can [3] be applied. If Microsoft is used, for example, double key encryption is required to prevent the provider from accessing the information.
   • Field encryption is used for data in applications or SaaS solutions, where the sensitive data is encrypted directly in the data field.

Legal protection is not enough

Many organizations rely heavily on legal expertise and the applicable law. This is important, but it is no substitute for technical and organizational protective measures. Compliance does not automatically mean security or that the risk of data leaks is sufficiently reduced.

International developments - such as extraterritorial access rights of individual states - mean that smaller countries can no longer fully rely on a uniform global legal system. The Swiss Data Protection Commissioner's resolution takes this reality into account: public administrations must protect sensitive data in such a way that they remain under their own control, even when using cloud services.

What a solution could look like in practice

How can sensitive data be protected in modern cloud environments so that public bodies can maintain data sovereignty and at the same time benefit from the advantages of SaaS services?

In information protection, this challenge can only be met by proprietary encryption concepts.
This is precisely where our «Centraya» encryption solution comes in, through

• legally independent, self-generated and managed encryption keys,
• a central definition of where and how data is encrypted,
• and the uniform control of encryption across different applications and cloud services.

For public administration, this means that zero trust must not end at the network boundary, but must be extended to the data level - especially in the cloud.

We would be happy to show you what such a strategy could look like in your organization.

Footnotes

[1] privatim. (November 24, 2025). privatim.ch. From https://www.privatim.ch/de/privatim-verabschiedet-resolution-zu-internationalen-cloud-losungen/ retrieved

[2] Data Loss Prevention (DLP) helps to detect and prevent unwanted data outflows - for example when sending emails, uploading to the cloud or saving to external data carriers. Data governance defines the organizational framework for handling data, for example who is allowed to see, process or export which information, how long it must be stored and when it must be deleted.

[3] One Digital rights management solution (DRM) protects files by encrypting them and controlling their use granularly. It therefore determines who may open, edit, forward or print a file and for how long it may be used, even if it has already left the company's own infrastructure.