Kinast & Partner

Cloud computing and data protection

Cloud computing is a web-supported service that is efficient, flexible and need-based. It is almost impossible to imagine doing business without the cloud today.

“Software as a service,” “platform as a service” and “infrastructure as a service” features allow computer services to be used anywhere, without high procurement costs and expensive maintenance.

Your data – your responsibility. Even in the cloud.

But how does data protection work in cloud computing? If personal data is involved, all data protection regulations must be observed. Anyone who uses cloud services remains fully responsible for the data – and must maintain control over the data in addition to this responsibility.

Multiple legal challenges

The cloud is associated with risks because new participants are involved. In terms of data protection law, relationships must be carefully regulated by way of contracts. Deletion obligations, for instance, can only be fulfilled by the party that contractually establishes the procedures and control mechanisms for deleting data. Cloud users must guarantee the affected parties transparency, integrity and compliance with auditing standards in data processing – but in the remote cloud, this is only possible through individual contractual agreements with the provider.

Cloud computing requires experience with international data protection

The cloud becomes very complicated in terms of data protection law once national borders are crossed, and almost every cloud is international. Do you know the exact location of the server where your customer and employee data is processed? Technical and organizational data protection becomes very important whenever personal data leaves the EU or the EEA. Data transfer to non-EU countries requires additional contractual protection if the data protection level in the target country is too low, as is often the case. Such precautions are important in order to prevent this digital expansion from becoming a fiasco.

Your partner for Binding Corporate Rules, standard contractual clauses and Safe Harbor

Even the “Safe Harbor” certification in the United States does not warrant blind trust. There are no comprehensive controls of self-certification for US companies, so you need to check for yourself whether data protection is ensured. Alternatively, standard contractual clauses from the EU Commission or Binding Corporate Rules can be used as a basis. If sub-contractors are involved, international contracts must also be concluded for contract data processing, and the corresponding control obligations must be observed.

Contracts provide security

Who can give you a guarantee that cloud providers are not acting contrary to contract? Among other things, contractual fines and suitable control measures must be established that also correspond to the agreed-upon authority to give instructions.

Integrated one-stop solution

As data protection law experts, we contribute our expertise to your projects for the long term and steer you safely through the cloud. Our team has a wide range of experiences, both as consultants for cloud providers and for companies that work with the cloud. We use a data protection audit to support both sides equally, thereby ensuring traceable legal compliance that allows you to sustainably strengthen the competitiveness of your company.

If necessary, we will also be glad to act as an external data protection officer for your company, and/or to help your company data protection officers implement cloud computing in a legally compliant manner. Explore our impressive service offerings and contact us to arrange a non-binding meeting.