IT Security Made in GermanyIn Germany there are good standards and concrete laws concerning data protection. Every German company must comply with these laws. The management is personally responsible for compliance and can be held responsible for this. When outsourcing your data to a cloud provider, the issue of data protection is therefore of particular importance.
Risks for the protection of your sensitive data
Due to the legal responsibility for the protection of personal data, you should be aware of the risks and specifically check your provider.
- As a company that outsources personal data to a cloud provider, you are responsible for ensuring that this provider complies with the German data protection laws.
- Foreign companies, even if their data center is located in Germany, are subject to the law of their respective country and may therefore be required to disclose data (e.g. the Patriot Act in the USA).
- Specific auditing requirements arise when you choose a cloud provider. You should also be aware of the problems that may arise when you have to take legal action and the provider's jurisdiction is located in a foreign country.
German law offers you the best protectionFor you as a user of cloud services it is important to think about trust, transparency, where your data is stored and how it is protected against loss, misuse and spying on data by unauthorized persons. The German legal framework is a very clear. Especially in the case of personal data (e.g. your customer information), the laws in Germany are particularly stringent. The handling of such data is clearly defined in the Federal Data Protection Act. Due to the difficult separation of personal and non-personal data, a uniformly high level of data protection is recommended for all your data according to the German legal situation.
Although the EU is now engaged, for example, in the promotion of cloud computing, the current privacy guidelines still leave many details open. And the Safe Harbor Agreement, which regulates the transfer of personal data from European companies to American companies, is a voluntary certification whereby once registered US companies are often no longer subject to compliance with data protection principles.
If you want to be safe, you have to checkIf you want to take advantage of cloud computing without taking compliance and security risks, you need to take a closer look at a number of aspects of your cloud vendor.
1. Data protection aspects
- To what kind of national law is your provider amendable?
- Where and how does the provider support you in your user responsibility according to the Federal Data Protection Act (eg specific test obligations pursuant to §§ 4b and 4c BDSG)?
- How is the order data processing of your provider (correction, blocking, deletion of data etc.)
2. Control the cloud provider
- How can you check the technical and organizational measures of your supplier?
- What certificates can the provider provide (e.g. ISO certifications)?
- What is the security concept of the provider in detail?
3. Data encryption
- How is the encryption of data?
- What is the ratio of anonymized / pseudoanonymized data?
- How does the provider prevent the unauthorized access to your data?
The peculiarities of data protection in the cloudData processing in the cloud is not tied to a specific region. Although you as a cloud user have the right to get information about the location of your data processing. But you can not prevent that even if the foreign provider has its data center located in Germany, The Patriot Act, the Foreign Surveillance Act or judicial orders, third parties get access to your data.
The decisive factor is not where the data are stored and processed, but the laws to which the cloud provider is amendable. A current examples show that U.S. authorities repeatedly access personal data in Germany. This is why speculations about industry espionage arise. However, a user (eg a customer of you) may, as a user company, make you liable under applicable German law if the cloud provider releases your data. In the case of a US provider, for example, you are then forced to claim your right again, with all the difficulties that the US jurisdiction entails.
We have summarized the most important comparison criteria in a checklist for selecting a cloud provider.
You still have questions about data protection and security in the ProfitBricks cloud? Then get in touch with us.