An increasing number of companies in Germany are opting to outsource their infrastructure, applications or software to cloud providers' data centers offering them access via the internet. Through
- "Infrastructure as a Service",
- "Platform as a Service" or
- "Software as a Service"
companies can thus save the costs of setting up and maintaining their own data center infrastructure or licensing software.
With usage-based pricing models, companies only pay the costs incurred by the actual use of the infrastructure, application or software.
However, the data protection risks must not be neglected when using the services of cloud providers, otherwise the cost benefits could suddenly turn into a cost and liability trap. The risks associated with cloud computing are often structural and lie in the storage of data on servers located outside the company and maintained by an external service provider.
If companies opt for decentralized data processing by the cloud provider, they are legally obliged to ensure that
- the latter has implemented suitable technical and organizational measures to protect the outsourced data,
- the processing is carried out in accordance with the provisions of the GDPR, and
- the rights of data subjects can continue to be guaranteed.
Compliance with these obligations is often difficult for companies in practice, as the following application examples show:
- Confidentiality and integrity
In cloud computing, the computing resources provided by the provider are often shared through the use of virtualization, so there is no physical separation of data between different users. This increases the risk of unauthorized access to the data stored by the cloud provider.
For this reason, when storing sensitive data in the cloud, it is particularly important to consider the technical and organizational measures guaranteed by the cloud provider to separate customer data. However, even in the case of non-sensitive data, the customer is obliged to carefully examine the data security measures before placing an order. In the case of extensive outsourcing of affected data, it may even be necessary in individual cases to carry out an on-site inspection at the data processing location.
- Data subjects' rights
Upon termination of the contract, the company must delete all outsourced data from the cloud. In addition, data subjects have a right to deletion under certain circumstances, which the company must comply with immediately. On the other hand, cloud providers usually store the data on different platforms and databases, which can make it extremely difficult to locate and permanently delete the data.
As a result, companies must ensure that the cloud provider enables them to delete the stored data at any time, permanently and immediately. If the service provider cannot ensure that the data is deleted completely, the ordering company is liable to the person concerned and must also answer to the supervisory authority.
- Transfer to third countries
Companies may only transfer data to third countries if it has been ascertained that there is an adequate level of data protection. Often the data stored in the cloud is transferred by the cloud provider to different servers around the world, depending on the available computing capacity.
Companies do not always know the data flows of the cloud provider from the very start, which means that it can hardly be guaranteed that the data is only transferred to third parties that have an adequate level of data protection. It is therefore essential to select a cloud provider that transparently discloses the destination countries of the data transfers from the outset.
If companies commission cloud providers who are not in a position to implement the requirements of the DSGVO, the outsourcing company is at risk of considerable fines. The selection of a cloud provider that complies with the DSGVO is therefore of considerable importance.
Our data protection experts will be happy to support you right from the planning stage of cloud-based data processing or data migration from local servers to cloud services:
- Advice on the selection of data protection-compliant cloud providers
- Preparation and review of binding corporate rules and EU standard contractual clauses for data transfer to third countries
- Drafting and review of contract processing agreements, especially for cloud computing
- Introduction of processes to guarantee the rights of those concerned
- Creation or adjustment of a response plan in the event of a data breach caused by the cloud provider
- Training of employees and managers in the correct handling of data and data breaches
"Privacy Law": Recent blog posts
30.06.2020 - Olga Stepanova
03.06.2020 - Olga Stepanova