There are a number of aspects of data protection that you should pay particular attention to when using cloud services. These include (i) the use of processors and sub-processors, (ii) the security of data processing and (iii) the transmission of personal data to third countries.
- Revised privatim factsheet 'Cloud-specific risks and measures' (in German and French only) (2022)
- Brochure issued by the German Federal Office for Information Security 'Secure use of cloud services – step by step from the strategy to the expiry of the contract' (in German only) (2016)
- Brochure issued by the German Federal Office for Information Security 'Checklist for selecting a cloud service' (in German only) (2022)
What is cloud computing and when is it relevant to data protection and privacy?
From a technical perspective, cloud computing is the on-demand provision of applications and software, storage capacity, development tools, network capacity or computing power via a network such as the internet from a cloud service provider.
Examples of cloud computing:
- Office 365 tools that allow colleagues to work together online;
- Online tools to manage e-mail addresses for newsletters or customer services;- Online customer relations management systems;-
- ploading videos to streaming platforms;
- Uploading files to a remote server that is online etc.
If data is transferred to the cloud as part of these services, data protection legislation applies.
The relationship between cloud provider and customer from a data protection perspective
The company that offers cloud services usually acts as a processor for the customer (cloud user) as defined in Article 9 FADP. The customer can be the controller or a processor itself. As the processor, they must meet the requirements set out by the controller for data processing. As the controller, the customer is responsible for ensuring that the data processing carried out by the cloud provider on their behalf complies with data protection requirements and that outsourcing does not compromise the rights of data subjects.
The obligations of cloud users
As the controller, the cloud user is required to contractually ensure and satisfy themself that the requirements of processing in accordance with Article 9 FADP are complied with. Please refer to our explanations on outsourcing and third-party processing. If the use of cloud services involves cross-border data disclosure, checks must be carried out prior to this disclosure to ensure that it satisfies the legal requirements. Please refer to our explanations on cross-border disclosure of data.
Cloud services are characterised by the fact that they are offered as standardised solutions. This means customers have little margin for negotiation and limited opportunities to adapt the service to the requirements of their data processing. With that in mind, complying with data protection requirements can be a challenge.
As the controller, you are primarily responsible for ensuring that the data is processed lawfully. The provisions regarding data protection by design and data protection by default (Art. 7 FADP) require you to arrange the data processing in technical and organisation terms so that the data protection regulations are complied with, and to ensure by means of suitable default settings that the processing of personal data is limited to the minimum required for the specific purpose.
If the standard service does not offer this, you can check whether it is possible to put in place technical measures to fully eliminate potential data protection risks. For example, you could completely encrypt or anonymise the data before transferring it to the cloud. However, if this is not feasible for the fulfilment of your processing purposes, you need to look for an alternative service that will allow you to process the data lawfully, or you should not outsource the processing.
Tips for controllers
Familiarise yourself with your data and its protection requirements:
The first step in checking the legal compliance of outsourcing data to a cloud provider involves analysing the data to be outsourced. Is it purely non-personal data or does it also involve personal data? If it is only non-personal data, you don't need to worry about data protection requirements. How sensitive is the data to be processed? Is the data subject to duties of confidentiality or is it deemed sensitive personal data? The protective measures are highly dependent on the type of data. Also, depending on the data processing task, a data protection impact assessment may be necessary.
Get to know your potential cloud service provider and check the terms and conditions of service (e.g. GTCs or service agreement).
The following questions can help:
Does the cloud provider have guidelines and processes in place to ensure that its employees are bound by a duty of confidentiality or are subject to other appropriate confidentiality obligations, and can the cloud provider demonstrate compliance with them?
Is the cloud provider contractually obliged to process personal data only according to your documented instructions, or does the cloud provider reserve the right to process personal data for its own purposes?Does the contract state or can you specify that the cloud provider deletes or returns the personal data after the contract has ended?
Has the cloud provider put in place appropriate measures to protect the outsourced data processing from data security risks? Does the cloud provider have a procedure for checking that the measures are effective and up to date?
Does the cloud provider keep an inventory as defined in Article 12 paragraph 1 and Article 3 FADP, and is this available if the Federal Data Protection and Information Commissioner requires it as part of an investigation?
Does the cloud provider have an overview of its sub-processors? Has the sub-processor provided you with the relevant documentation, in particular regarding the countries in which the data will be processed? Does the cloud provider have a procedure in place to inspect its sub-processors in order to ensure that they are also able to meet the data protection requirements you have stipulated? Does the agreement between the cloud provider and its sub-processors reflect the requirements that you as data controller have imposed on the cloud provider?Does the contract stipulate a deadline for submitting documentation concerning sub-processors? Is the time limit adequate to allow you to carry out checks?
With regard to the data processing assigned to it, does the cloud provider have a procedure for handling requests from data subjects in accordance with Chapter 4 of the FADP or investigations by the data protection supervisory authority?Does the cloud provider have a procedure in place to comply with Article 24 paragraph 3 FADP and can it assist you if necessary in fulfilling your notification obligation under Article 24 paragraph 1 FADP?If you conduct audits yourself, does the cloud provider offer support with audits?
Last modification 19.04.2023