Data storage is increasingly moving to the clouds, away from local servers. What many companies are not aware of: Although it is practical to hardly have to worry about anything, you still have to ensure data protection and information security yourself.
Cloud computing as order processing
The responsibility for the data within the meaning of Art. 4 No. 7 GDPR cannot be outsourced to the provider in the context of cloud computing, but always remains with the contracting company. This makes it all the more important to thoroughly determine your needs, carefully select the provider and provide sufficient documentation in accordance with the GDPR.
So what to do with clouds?
To precisely determine their needs, companies have to clarify many points internally, including the following: For what purposes should the cloud be used? Which and how much data should be processed in it, who needs access to it? How much security does this data need, what protection goals does the company pursue?
Selection of providers for clouds
When choosing a provider, emphasis should be placed on certifications in the area of information security, ISO 27001. Ideally, however, the provider should also be able to demonstrate conformity to ISO 27017 and ISO 27018. ISO 27017 is a standard specifically designed to secure cloud services. The standard belongs to the ISO 27001 family of standards. This additional standard gives rise to specific features of cloud security for each area of the higher-level IOS 27001. ISO 27018 is also based on the higher-level ISO 27001 standard, but regulates in detail the requirements for processing personal data in cloud computing.
If the provider can provide as much evidence as possible of compliance with international standards, the person concerned can assume that they have selected a secure provider that complies with data protection regulations.
The selection of the provider causes major problems insofar as the transmission of data to the USA can no longer be based on the EU-US Privacy Shield under data protection law after the Schrems II ruling of the ECJ. It is essential to pay attention to the location of the cloud provider’s servers. Data may only be processed within the EEA or in third countries for which the EU Commission has issued an adequacy decision in accordance with Art. 45 GDPR.
Since politicians are also aware of this, there are increasing numbers of initiatives that advocate clouds within the EEA and look for solutions in cooperation with companies. According to the data protection strategy of February 2020, it is also the goal of the EU Commission to create higher European cloud capacities.
Conclusion of an order processing agreement
It is essential to conclude an order processing agreement (GCU) in accordance with Art. 28 Para. 3 GDPR. You can find samples on the websites of the supervisory authorities, e.g. here: https://www.lda.bayern.de/media/muster_adv.pdf
It is important that you adapt the GCU template to the specific individual case. If you need support with this – please do not hesitate to contact us.
Pay special attention to the TOM
When concluding the GCU, companies should pay particular attention to the definition of the technical and organizational measures (TOM) according to Art. 32 GDPR. When determining the TOM, the risk-based approach should be used: What risk is the company willing to accept? What measures can be used to minimize risks? Depending on the security requirements for your data, the specific TOM must be agreed with the cloud provider. Only generic formulations such as “Access control is guaranteed” are not sufficient.
Accountability according to Art. 5 Para. 2 GDPR
The GDPR states that companies must be able to prove that they comply with all data protection requirements. It is therefore essential that there is complete documentation – starting with the list of processing activities in accordance with Art. 30 GDPR through the written conclusion of an AVV in accordance with Art. 28 GDPR to the specific definition of the TOM in accordance with Art. 32 GDPR.
It is not only important with regard to information security that your company has an exit strategy in place in the event that a change of provider becomes necessary. Defined interfaces of the cloud are required to ensure data portability and interoperability. If you only think about it after you have transferred your data to the cloud, you can face major difficulties. It is always better to clarify in advance how data can be transferred from the clouds and deleted.
Would you like to move to the cloud, but are unsure about data protection and information security whether the provider offers sufficient protection? Talk to us, we will be happy to support you! Here you come to our contact form.
Die Diplomjuristin Désirée Eder studierte Rechtswissenschaften an der Universität Passau und war mehrere Jahre in Berlin in einem landeseigenen Unternehmen für Immobilienprojekte als Projektmanagerin Recht und Datenschutzbeauftragte tätig. Désirée Eder bereichert das Team nicht nur mit ihrem juristischen Know-How sondern ist auch im Bereich der Organisation und Dokumentation, sowie im Rahmen der immer wichtiger werdenden DIN-ISO Normen und für Zertifizierungsprozesse erste Ansprechpartnerin. „Für das Wohl unserer Kunden sind mir offene Kommunikation sowie eine strukturierte, effiziente und gründliche Arbeitsweise wichtig.“
This post is also available in: German