This article describes and analyses three recent decisions by the Swedish Data Inspection Board (Datainspektionen) directly focused on cloud computing. All three decisions were published on 28 September 2011 as part of a supervisory project seeking to clarify what demands the Data Protection Act places on organisations utilising cloud computing. As such, and due to the fact that similar concerns arise in the three matters, there is considerable overlap between the three decisions. Indeed, large parts of text are identical in the three decisions. To avoid repetition, I discuss the first decision in most detail, and limit the discussion of overlapping issues in the context of the other two decisions.