Microsoftsamsearth Thanks for the answer. So whereas India's new Personal Data Protection Bill specifically mandates data residency in India (a copy for some data, and absolute localisation for "critical" personal data - the term "critical" being undefined in the legislation), Microsoft's view is that GDPR could be interpreted either way - that data residency in country / in region is required, or that data residency is not required in country / in region? e.g.,
- Recital 81 - the last line makes the assumption the processor is in the Union or a Member State, and therefore assumes data processing would happen in region.
- Recital 101 - talks about "flows of personal data on and from countries outside the Union" ... if data is not stored in the Union, do you view that as not being a flow? Or that Microsoft has sufficient safeguards in place to enable "full compliance"? (e.g., as outlined in Recital 108)
I interpret your point about companies still embracing Multi-Geo to help with GDPR in this way: GDPR doesn't mandate in region processing explicitly, but if processing is done in region, then it reduces the compliance efforts required by the company in putting in place organisational and technical measures to safeguard processing activities. Is that what you mean?
