Data protection and data security when using cloud computing solutions

"Two out of three companies rely on cloud" - Under this title, the IT industry association Bitkom published current figures on cloud use in German companies as recently as June 2018. The association's conclusion: "Cloud computing has established itself. However, the association experts also point out that "data protection is the top criterion when it comes to choosing a cloud service provider."

But what are the data protection-related questions that need to be answered when deciding on a cloud service provider?

Data protection and data security: Personal data as an asset worth protecting

If you deal with the topic of data protection, you will almost inevitably come across the term "personal data" within a very short time. According to current case law, personal data is "all information that relates or can at least be related to a natural person and thus allows conclusions to be drawn about that person's personality". In addition to the classic name and address data, this also includes the date of birth, gender or eye colour.

The legislator defines so-called "special personal data" as particularly worthy of protection. This includes information on ethnic and cultural origin, political, religious and philosophical beliefs, health, sexuality and trade union membership. Within the framework of the legally defined informational self-determination of each of us, the storage and processing of personal data is only permitted with consent and under certain conditions.

The GDPR and its consequences for the use of cloud computing solutions

With the EU General Data Protection Regulation (EU GDPR), which came into force in May 2018, the latter right to informational self-determination in particular was further strengthened. The definition and protection of personal data as a central legal asset was taken over from the previously applicable Federal Data Protection Act.

Newly regulated in the GDPR are the

• Right to informationEvery person has the right to know what information has been stored about them and for what purpose.
• Right to erasureEvery person has the right to have his or her data deleted immediately if he or she so wishes. In this context, the term "right to be forgotten" is often used.
• Right to data portability: Any person has the right to have their collected data given to them in a "structured, commonly used and machine-readable" format so that they can pass it on to another service provider.

The contractual relationship between cloud computing user and cloud computing provider was also newly regulated. The commissioned data processor became the processor. The basis for the tasks and obligations is regulated by the contract for commissioned processing (AV contract). Here, too, the protection of personal data plays a central role.

In principle, the cloud computing customer remains responsible for compliance with data protection requirements when processing personal data. However, this does not mean that the processor is free from liability. According to Art. 82 EU GDPR, he is jointly liable with the controller. However, according to paragraph 2, his liability is limited to breaches of obligations specifically imposed on him.

GDPR vs. Cloud Act: Caution is advised

Already at the end of March 2018, i.e. before the GDPR came into force, the US government adopted the Clarifying Lawful Overseas Use of Data (CLOUD) Act. True to the motto "America first", this law gives American authorities the possibility to access user data stored in data centres of American service providers outside the USA - without informing the user and without giving him or her the right to object. The regulation thus clearly contradicts the provisions of the GDPR. Furthermore, it "undermines" the sales tactics of American cloud companies that have opened data centres in Germany and thus complied with the multiple wishes of their German customers to store data locally in their home country. Since the Cloud Act came into force, this no longer protects them from secret access by American authorities.

The most important aspects of data protection and data security that you should consider BEFORE using a cloud solution

So if you are faced with the decision to use a cloud computing solution in the future and would like to take all data protection aspects into account, you should ask yourself the following questions - and answer them:

• Where is the personal data processed via the cloud solution stored and processed: Germany, Europe, USA, third country?
• Within the scope of which legal data protection regulation does the cloud service provider fall - DSGVO, Cloud Act, third-party regulation?
• What contractual agreements are therefore required: AV contract with GDPR?
• What data protection rights and obligations result from this in the contractual relationship between my company and the cloud service provider?

When using ZEP, you can be sure to meet all data protection requirements that apply here in Germany. All data collected in ZEP is stored and processed exclusively in high-security data centres in Germany, and as a German company, the requirements of the DSGVO apply to provantis. Even before the new regulations came into force, all precautions were taken to ensure that with the Deadline 25 May 2018 all these requirements are met.

Should you have any questions on the subject of Data protection and data security ZEP, please do not hesitate to contact us. gladly available for information at any time.