IT service provider

Cloud computing offers an efficient, flexible and demand-driven service over a network (usually via internet). In addition, the cloud has become an indispensable part of today’s business life. “Software as a Service”, “Platform as a Service”, or “Infrastructure as a Service” enable computing capacity available everywhere without expensive acquisition or maintenance. The IT service provider offers various services, such as storage space and application software online. Companies no longer have to operate their own servers to store their data, for example, but can make use of capacities and services as required and invoice accordingly.

Your data – your responsibility. Even in the Cloud

What about Data Protection when it comes to cloud computing though? If Personal Data are involved, Data Protection Regulations must be completely observed. Anyone who uses cloud services remains responsible for the data and must ensure that, in addition to responsibility, they also retain control over the data.

Diverse legal challenges

The cloud harbors additional risks because different parties work together. To comply with Data Protection Law, cooperations and corresponding data flows must be precisely coordinated and laid down in contracts. Cloud hosts must guarantee transparency, integrity and technical security of Data Processing to those affected  in the “distant cloud“, which is only possible through individual contractual agreements with the provider. In particular, the following risks must be considered and dealt with:

  • Data loss and data manipulation
  • Access to the data by the cloud provider, third parties or secret services
  • Identity theft and account abuse
  • (Temporary) unavailability of the cloud service

Cloud computing requires experience in international data protection

The cloud becomes complex in terms of Data Protection Law when the data cross national borders, and almost every cloud is international. Do you know exactly where the server is located that processes your customer or employee data? Technical and organizational Data Protection issues are particularly important when Personal Data leave the European Union (EU). Data transfer to so-called third countries requires additional contractual security in case the level of Data Protection in the third country is lower, which is often the case. Such arrangements are important if the digital expansion shall be successful and exclude major risks.

Your partner for EU Standard Contract Clauses and Binding Corporate Rules

The use of Standard Contractual Clauses (SCC) of the EU Commission or Binding Corporate Rules (BCR), Art. 46 GDPR, as the basis for data transfers via cloud services is possible. Adding international subcontractors, the IT service provider must conclude suitable contracts for so-called Data Processing on behalf of the controller and observe corresponding obligations to control these subcontractors.

Contracts provide security

Who guarantees that cloud providers will not act contrary to your orders? Among other things, the contractual stipulation of penalties in addition to suitable measures to control the contractor.

Comprehensive solutions from a single source

As experts on Data Protection, we bring our knowledge to your projects in a sustainable manner. Therefore, we navigate you safely through the requirements of cloud services. Our Expert Team has experience both as consultants for cloud providers and for companies working with a cloud. We can support both sides with Data Protection Audits. Additionally, we ensure compliance with legal obligations that also strengthen the competitiveness of your company. Through risk analyses and Data Protection Audits, we ensure the reduction of risks to a minimum.

If required, we can also act as an External DPO for you as an IT service provider or support your company’s Data Protection Officer with compliant implementation of cloud computing. Convince yourself of our range of services and get in touch with us to arrange a non-binding appointment.

IT service providers and software manufacturers

IT service providers and software manufacturers also face special data protection challenges, and not just because of the GDPR.

The GDPR demands that the default settings for software, for example, should lead to more Data Protection and support the user in Data Protection. In addition, the collection, storage and processing of users’ Personal Data requires the informed consent of the Data Subjects or another legal basis. Art. 25 GDPR explicitly refers to Data Protection through technology design and Data Protection-friendly default settings and thus underlines its significance. The measures (e.g. Privacy by Design/Privacy by Default) are intended to ensure that Personal Data are only processed by default where it is necessary for the particular purpose.

In addition, the amount of collected Personal Data is limited by default, as is the scope of its processing. Clear definition and regulation of storage periods and restriction of access to data helps to correspond to legal obligations. We are happy to support in building advantages in competition, strengthening customer relationships and winning new customers with professional Data Protection Management. You benefit from the high professional competence and multiple qualifications of our Lawyers and Data Security Experts in the areas of Data Protection, cloud computing and IT security. Please feel free to contact us.