![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
It has gone almost unnoticed that at a meeting 28-29 September 2011, the German data protection authorities with responsibility for the private sector approved detailed guidance on
. Although not legally binding, the guidance expresses the view of all German authorities in this field and therefore has de facto relevance for private companies that are subject to German data protection law.
In an accompanying press release, the data protection authorities called upon providers to design their cloud services in a data protection-compliant manner. At the same time, they reminded cloud users that they may only make use of cloud services if they are in a position to exercise their obligations as a controller and have checked the implementation of the data protection and information security requirements. For this purpose, the data protection authorities require as a minimum:
- Transparent and detailed information by cloud service providers regarding the technical, organisational and legal framework conditions of the services they offer, including a security concept; in addition to the requirements of data confidentiality, integrity and availability, this encompasses, in particular, requirements as to the controllability, transparency and the possibility of influencing the data processing;
- Transparent, detailed and unambiguous contractual provisions regarding the data processing, in particular concerning the location of the data processing and information about possible changes of location, portability and interoperability;
- The implementation of agreed security and data protection measures by both the cloud service provider and the cloud user;
- Up-to-date and meaningful evidence; i.e., certificates of recognised and independent auditors, regarding the infrastructure used, in particular regarding the security, portability and interoperability of data.
The guidance document, which has been prepared by the two data protection authorities’ working groups on technology and media, is addressed to decision makers, data protection officers and IT managers. It is divided into four main sections—introduction, terminology, data protection-related aspects and technical and organisational aspects.
Pursuant to the guidance document, cloud computing is characterised by the following particularities in relation to data protection and data security.
- Supposedly anonymised data may become reidentifiable when processed in the cloud.
- The use of cloud services and the provision of IT services regularly involves several parties whose relationship must be properly assessed.
- The controller has to ensure the legality of the data processing in its entirety and, in particular, respect the obligation to erase data, rectify incorrect data and block data, as well as data subjects’ right of access.
- Regarding international clouds, there must be a legal basis for the transmission of personal data to third countries.
- From a technical and organisational point of view, the controller must ensure the proper erasure and separation of data as well as the transparency, integrity and revisability; i.e., it can be established who has processed which data when and in which manner, of the data processing.
Data protection-related aspects
As regards aspects relating to data protection, the guidance document discusses the following.
- Responsibility of cloud users. In the data protection authorities’ view, the cloud user typically acts as the controller and the cloud service provider as the processor, although in certain cases the cloud service provider may be a controller. As the controller, the cloud user is responsible for ensuring compliance with all data protection requirements. In this respect, the data protection authorities point in particular to the obligation on controllers to conclude a written processor agreement in accordance with the specific provisions regarding processor agreements under the German Data Protection Act.
- Control of cloud service providers. As a controller, the cloud user must satisfy himself both prior to the commencement of the data processing and regularly thereafter that the cloud service provider complies with the technical and organisational security measures. Whilst the authorities acknowledge that it may not always be possible for the cloud user to carry out on-the-spot checks, reliance on mere assurances by the cloud service provider is not, in fact, considered to be sufficient. Rather, cloud users must conduct research to satisfy themselves that the statutory or agreed security standards are being complied with. For this purpose, the cloud user may want to require the cloud service provider to undergo a special certification or seal process. The same obligations essentially apply in relation to subprocessors.
- Rights of data subjects. In order to allow the cloud user to comply with the rights of data subjects, the data protection authorities recommend, in particular, that the cloud user contractually reserves—subject to penalties—the right to give instructions to the cloud service provider that guarantee the rights of data subjects.
- Cross-border data transfers. The data protection authorities consider it necessary that the cloud user be informed in advance about all possible locations where personal data may be processed. The data protection authorities require that the location of the technical processing be contractually agreed between the cloud user and the cloud service provider, even if the cloud is located in Europe. This would also allow for contractual obligations on the cloud service provider to only use technical infrastructure that is physically located in the EU.
Where personal data are transferred outside the EU, appropriate safeguards—such as standard contractual clauses or binding corporate rules—must be taken to ensure the protection of the data. In this respect, the German data protection authorities reiterate their view that the European Commission standard contractual clauses for data transfers to a processor established in a third country do not fully meet the requirements applicable to processor agreements under the German Data Protection Act. They therefore consider it necessary that additional provisions be included in such clauses or even a separate agreement be concluded so as to ensure compliance with the relevant law.
Where the cloud service provider is a Safe Harbour-registered company, the guidance document emphasises that data exporters in Germany must, as a minimum, check whether the data importer’s Safe Harbour certification is still valid and applies to the personal data concerned, as well as verify that the U.S. data importer has agreed to cooperate with the EU data protection authorities and that the data exporter will receive the necessary information from the data importer in cases where a data subject exercises his right of access. In addition, a written processor agreement in line with the German Data Protection Act must be concluded.
If the data processor is established outside the European Economic Area (EEA), in addition to respecting the rules regarding processors and international data transfers, the controller must also ensure that the data transmission can be based on one of the legal grounds for legitimacy of data processing. One option is the so-called legitimate interest criterion (cf., Article 7 lit. f of the EU Data Protection Directive), which does not, however, apply in cases of sensitive data—in this case, the German data protection authorities consider the use of cloud computing services outside the EEA not to be permissible under German data protection law.
Technical and organisational aspects
As regards the technical and organisational aspects, the guidance document discusses cloud-specific risks and traditional risks. Cloud-specific risks can concern the deletion of data; the cloud user’s difficulty to access logs and documentation, and multiplication and dissemination of data, whereas traditional risks include, for instance, cybercrime as well as problems relating to data separation, transparency and data availability. The guidance goes even on to discuss the three different categories of cloud services; i.e., Infrastructure as a Service, Platform as a Service and Software as a Service, in light of the various protective goals, namely availability, confidentiality, integrity, revisability and transparency. However, the guidance document generally refrains from prescribing concrete measures that a cloud user or cloud service provider should take, instead describing the potential risks that the cloud user and the cloud service provider should address and in some cases also indicating specific measures.
Conclusion
Cloud users and cloud service providers that are subject to German data protection law are well-advised to carefully review the guidance document since noncompliance can entail the risk of the imposition of fines and enforcement actions as well as liability vis-à-vis data subjects. Moreover, controllers may be subject to data breach notification obligations vis-à-vis data protection authorities and data subjects in cases where particularly sensitive categories of personal data have been disclosed illegally or have otherwise come to the knowledge of unauthorised third parties.
