Cloud computing is also on the rise in Germany and forms the basis for technical innovations of all kinds. More and more companies and private individuals are using online storage services.
By 2020, around 80 percent of data traffic worldwide is expected to come from the cloud.
GDPR will have priority of application
As cloud computing spreads, the call for data protection is also getting louder.
The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, is intended to remedy this situation.
Although the GDPR will not take precedence from this date, it will take precedence over national law.
National legislators are given the opportunity to regulate certain problematic cases themselves through so-called opening clauses.
However, due to the prohibition of repetition of standards and the direct applicability of the GDPR, no deviating regulations can be made on issues that have already been regulated in detail.
Cloud computing as order processing in the GDPR
In future, cloud computing will be regulated in detail in Art. 28 GDPR as commissioned processing.
The liability of the contractor for subcontractors acting in breach of the regulation and responsibility in the event of data breaches will also be expressly regulated by the GDPR in future.
Applicability of the GDPR for contact with the EU
The GDPR will be geographically applicable in a large number of cases in the future.
If there is a connection to the EU or the European Economic Area (EEA), it must be observed.
While German law in the BDSG is still based on the controller, the GDPR makes it sufficient for applicability if the cloud provider or customer has a branch within the EU or the EEA and personal data is processed.
The actual processing of the data does not have to take place within the Union.
The GDPR is even applicable if the data of a person residing in the EU is processed.
This means that the GDPR will also apply to foreign cloud providers in future, provided they are active on the EU market.
Cloud provider is responsible for data protection
If a processor (cloud provider) processes a customer’s data in the future contrary to the order placed, it is responsible for the processing and security of the data itself.
This can even lead to liability claims by the data subject.
If the cloud provider as processor discovers data protection breaches, it must report these to the customer (the client) immediately.
It is also subject to a comprehensive documentation obligation under Art. 30 para.
2 GDPR for all incidents relevant to data protection law.
In addition, the processor must appoint a representative responsible for data protection(data protection officer), Art. 37 para.
1 GDPR.
In addition, the processor must cooperate with the data protection authorities.
Cloud users are also subject to data protection regulations in the GDPR
However, the cloud customer also has extensive obligations.
If the cloud customer is also the controller in terms of data protection law, it must independently ensure the security level of the cloud provider and select it carefully.
In accordance with Art. 28 GDPR, the provider must
provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing is carried out in accordance with the requirements of the Regulation and ensures the protection of the rights of the data subject.
Data protection certificates (Art. 42 GDPR) help customers to quickly identify reliable cloud providers.
Fines also possible for cloud customers
If the cloud customer commissions the same cloud provider to process their data again despite multiple notifications of data protection violations, they also face fines, Art. 83 para.
4 lit.
a GDPR.
This is because the cloud customer is also responsible for the data they disclose.
If they fail to comply with their due diligence obligations, they are just as responsible for the data protection breach as the cloud provider.
In order to avoid such fines, the customer is entitled to monitor their cloud provider.
In addition, all instructions to the cloud provider must be documented in text form in future, Art. 28 para.
9 GDPR.
GDPR leads to more detailed data protection
The GDPR brings customers and providers even closer together when it comes to assuming responsibility for the protection of personal data.
As a result, the new General Data Protection Regulation ensures greater data protection in the area of cloud computing.
Contrary to the opinion of many that data protection is a brake on cloud computing, it is more likely to be a cornerstone for the expansion of services.