Data Protection in The Cloud in Germany

However, the data protection risks must not be neglected when using the services of cloud providers, otherwise the cost benefits could suddenly turn into a cost and liability trap. The risks associated with cloud computing are often structural and lie in the storage of data on servers located outside the company and maintained by an external service provider.

If companies opt for decentralized data processing by the cloud provider, they are legally obliged to ensure that

• the latter has implemented suitable technical and organizational measures to protect the outsourced data,
• the processing is carried out in accordance with the provisions of the GDPR, and
• the rights of data subjects can continue to be guaranteed.

Compliance with these obligations is often difficult for companies in practice, as the following application examples show:
 

• Confidentiality and integrity
  In cloud computing, the computing resources offered by the provider are often shared through the use of virtualization, so there is no physical separation of data between different users. This increases the risk of unauthorized access to the data stored by the cloud provider.
  For this reason, when storing sensitive data in the cloud, it is particularly important to consider the technical and organizational measures guaranteed by the cloud provider to separate customer data. However, even in the case of non-sensitive data, the customer is obliged to carefully examine the data security measures before placing an order. In the case of extensive outsourcing of affected data, it may even be necessary in individual cases to carry out an on-site inspection at the data processing location.
   
• Data subjects' rights
  Upon termination of the contract, the company must delete all outsourced data from the cloud. In addition, data subjects have a right to deletion under certain circumstances, which the company must comply with immediately. On the other hand, cloud providers usually store the data on different platforms and databases, which can make it extremely difficult to locate and permanently delete the data.
  As a result, companies must ensure that the cloud provider enables them to delete the stored data at any time, permanently and immediately. If the service provider cannot ensure that the data is deleted completely, the ordering company is liable to the person concerned and must also answer to the supervisory authority.
   
• Transfer to third countries
  Companies may only transfer data to third countries if it has been ascertained that there is an adequate level of data protection. Often the data stored in the cloud is transferred by the cloud provider to different servers around the world, depending on the available computing capacity.
  Companies do not always know the data flows of the cloud provider from the very start, which means that it can hardly be guaranteed that the data is only transferred to third parties that have an adequate level of data protection. It is therefore essential to select a cloud provider that transparently discloses the destination countries of the data transfers from the outset.
  If companies commission cloud providers who are not in a position to implement the requirements of the GDPR, the outsourcing company is at risk of considerable fines. The selection of a cloud provider that complies with the GDPR is therefore of considerable importance.