But what are the data protection-related questions that need to be answered when deciding on a cloud service provider?
If you deal with the topic of data protection, you will almost inevitably come across the term "personal data" within a very short time. According to current case law, personal data is "all information that relates to a natural person or can at least be related to a natural person and thus allows conclusions to be drawn about that person's personality". In addition to the classic name and address data, this also includes the date of birth, gender or eye colour.
The legislator defines so-called "special personal data" as particularly worthy of protection. This includes information on ethnic and cultural origin, political, religious and philosophical beliefs, health, sexuality and trade union membership. Within the framework of the legally defined informational self-determination of each of us, the storage and processing of personal data is only permitted with consent and under certain conditions.
With the EU General Data Protection Regulation (EU GDPR), which came into force in May 2018, the latter right to informational self-determination in particular was further strengthened. The definition and protection of personal data as a central legal asset was taken over from the previously applicable Federal Data Protection Act.
Newly regulated in the GDPR are the
The contractual relationship between cloud computing user and cloud computing provider was also newly regulated. The commissioned data processor became the processor. The basis for the tasks and obligations is regulated by the contract for commissioned processing (AV contract). Here, too, the protection of personal data plays a central role.
In principle, the cloud computing customer remains responsible for compliance with data protection requirements when processing personal data. However, this does not mean that the processor is free from liability. According to Art. 82 EU GDPR, he is jointly liable with the controller. However, according to paragraph 2, his liability is limited to breaches of obligations specifically imposed on him.
Already at the end of March 2018, i.e. before the GDPR came into force, the US government adopted the Clarifying Lawful Overseas Use of Data (CLOUD) Act. True to the motto "America first", this law gives American authorities the possibility to access user data stored in data centres of American service providers outside the USA - without informing the user and without giving him a right to object. The regulation thus clearly contradicts the provisions of the GDPR. Furthermore, it "undermines" the sales tactics of American cloud companies that have opened data centres in Germany and thus complied with the multiple wishes of their German customers to store data locally in their home country. Since the Cloud Act came into force, this no longer protects them from secret access by American authorities.
So if you are faced with the decision to use a cloud computing solution in the future and would like to take all data protection aspects into account, you should ask yourself the following questions - and answer them:
When using ZEP, you can be sure to meet all data protection requirements that apply here in Germany. All data collected in ZEP is stored and processed exclusively in high-security data centres in Germany, and as a German company, the requirements of the DSGVO apply to provantis. Even before the new regulations came into force, all precautions were taken to ensure that with the Deadline 25 May 2018 all these requirements are met.
Should you have any questions on the subject of Data protection and data security ZEP, please do not hesitate to contact us. gladly available for information at any time.