EuroCloud Guideline Law DP C

8/2/2019 EuroCloud Guideline Law DP C

1/34

GuidelinesCloud Computing

German Law, Data Protection& Compliance


2/34

2

Guidelines

Cloud Computing


1. Imprint

EuroCloud Deutschland_eco e. V.Lichtstrasse 43h

50825 CologneGermany

Tel.: +49(0)221 / 70 00 48 0Fax: +49(0)221 / 70 00 48 111E-Mail: [email protected]: www.eurocloud.de

Board: Bernd Becker (Chairman) Thomas von Blow (Deputy Chairman) Oliver J. Sme

Register of Associations:Cologne District Court VR 16215Seat of the Association: Cologne


3/34

3

Content

1. Imprint 2

2. Foreword 4

3. Introduction 6

4. Legal Requirements 7

5. Main Issues Pertaining to the Cloud Provider Selection 8

6. Main Parts to a Contract Regarding Data Protection 86.1 Form 86.2 Subject Matter of the Contract 86.3 Internat ional Data Processing

(Including Using Foreign Resources and Subcontractors) 96.4 Liabilit y 106.5 The Users Rights to Control 116.6 Technical Organisational Measures 126.7 Involving Subcontractors and Their Control 136.8 Term and Returning Data 15

7. Product and Industry Specific Particularities 167.1 Financial Serv ices 167.2 Telecommunicat ions Act 177.3 Accounting Obligation 177.4 Legal Obligation to Keep Records Under Commercial Law 187.5 Persons Subject to Officia l and Professional Confidences 18

8. Checklist Law & Compliance 20

8.1 Conclusion of the Contract and Contract Format 218.2 Effect for Subcontractor 218.3 Billing 218.4 Performance Disruptions 218.5 Contract Termination 218.6 Provider Insolvency 228.7 Compliance 22

9. Cloud Computing Glossary 26

10. Sources 28

11. Legal Notice 2912. Authors 31


4/34

4

Guidelines

Cloud Computing


2. Foreword

Dear Readers,

Innovation is the engine of an economy, and positioning for innovationis what fuels economic success. Cloud computing is clearly a major

trend and major evolutionary development of the Internet thatcustomers and suppliers alike stand to benefit greatly from in thefuture. Cloud computing signifies a dawn of a new age for the Internet,opening doors to an enti rely new world for how IT is utilised.When new innovative solutions are brought to market, particularlythose that distort and revolutionise an entire industry landscape,uncertainty often ensues. This uncertainty lies with new providers ofcourse, but particularly with those that purchase and use new serv icesthat emerge from a new environment. Services that emerge from thecloud are no different and face the same uncertainties.

Cloud computing is an especial ly attractive option for midsizedcompanies, often lacking the resources to individually test externalproviders, as it allows them to remain competitive and expand in areas,where previously they were unable. However, these companies st illoften do not have the sufficient resources or expertise to personallyexamine the potential legal implications for the use of cloud servicesand how their relationships with external providers in this area shouldoperate. The question is, how should cloud computing contracts w ithappropriate legal, data protect ion, provider, terms, be designed?

Initia lly, if appropriate, cloud services shall become offered and util isedtransnationally. However, the often widely discussed and undying issueof security of the Internet, is an equally concerning issue within thecloud. Uncertainty over security problems in the cloud are arguably

even more pertinent than the legacy concerns for the Internet as awhole, owing to the clouds in fancy. Technological requirements for asecure service delivery are therefore absolutely essential. However, theproviders partially prevail ing in Europe, do not always have clear, orbasic, framework conditions. A thorough audit is required for anational and European legal framework for a global serv ice deliveryfrom the cloud.


5/34

5

With the launch of the EuroCloud Deutschland_eco e. V. in February2010, a Legal Expert Group was set up to prepare for the sometimes

complex legal issues surrounding cloud computing. The aim was toprovide users and providers of cloud services gu idance in the areas law,data protection and compliance, and provide support. The results areevident in this guide, Cloud Computing: Law, Data Protection &Compliance.

The technical expertise that th is guide is based on, is also part of theneutral, independent certification EuroCloud Star Audit Software as aService, which EuroCloud Deutschland_eco e. V. began offering to themarket at the start of 2011.

We would like to thank the legal experts for the content and the eco- Association of the German Internet Industry team for helping co-ordinate the production of the guide.

Bernd BeckerChair man, EuroCloud Deutschland_eco e.V.Vice President EuroCloud Europe


6/34

6

Guidelines

Cloud Computing


3. Introduction

The association EuroCloud Deutschland_eco e. V. was founded in 2009as a nat ional organisation of the European EuroCloud network. With itsconnection to the eco Internet Association which has been in existencesince 1995, an ideal partnership for the support of cloud computing

issues was achieved. Cloud computing is a global issue and holds animportant status in the planning of future IT strategies.

Security and compliance are the two most important issues that standout from the many that exist. With the initiative SaaS Quality Sealand by working out the fundamentals of the legal background,EuroCloud has started important projects to improve the generalframework for a successful implementation of cloud serv ices indifferent areas (software, platform and infrastructure).

This guide is a basis for the correct classification of the legalrequirements and focuses on the area of Software as a Service as apublic cloud service. This has resulted in the emergence of specialrequirements pertaining to data protection, which schould alwaysapply to all SaaS applications.

The overview of topics is derived from the test criteria used by theEuroCloud SaaS Quality Seal which is a thorough test of Softwareas a Serv ice products, in terms of serv ice, data security, dataprotection, contract terms, and interoperabil ity.


7/34

7

4. Legal Requirements

A main concern under Law and Compliance in cloud computingis data protection. The guideline looks at issues particular to dataprotection that arise from contractual agreements between userand provider.

The data protection guidelines become relevant when personaldata such as customer data or employee data are af fected.What needs to be considered is the fact that personal datais defined very broadly in the German Federal Data ProtectionAct (Bundesdatenschutzgesetz - BDSG). All data that relates toan identified individual, or to an individual that can be identifiedby providers, users, or thi rd part ies, is defined by the dataprotection authorities as personal data. In practice there willonly be a small number of applications that do not at least partlyprocess personal data.

Contracutal issues (governed by civil law) pertaining to SaaSservices, including for instance service levels, liability limitationsand termination provisions are not part of the followingelaborations.

The following are guidelines on implementing data protectionrequirements (section 11 of the Federal Data Protection Act) incontracts between providers of SaaS / cloud computing and theircustomers. These guidelines relate mainly to specific dataprotection issues around cloud computing, offering differentapproaches to cloud spacific compliance for the processing ofpersonal data.

To begin with, the following must be considered:The customer remains responsible for the legality of the processingof data with in the framework of using the cloud computingservices, according to section 11 of the Federal Data ProtectionAct. The customer may only use the serv ice to process personaldata to the extent he was allowed to process such personal databefore using such a serv ice.

Signing an agreement pertaining to data processing as a basisfor data protection is also necessary when the cloud computingapplication is only being tested. In order to avoid the cost and ef fortof such an agreement, there is the option of performing

tests without using real data.

In cloud computing, the

user, therefore the customer,is responsible for the lawful

processing of data (section11 of the Federal Data

Protection Act)

Even when a cloudcomputing application isonly tested, a contract mustbe entered into with the

provider when real data isprocessed.


8/34

8

Guidelines

Cloud Computing


German data protection authorities see cloud computing and SaaSsolutions with a critical eye and foresee some problems, especiallyin the areas of control and instructions by the customer, technicalmeasures, data processing locations, using subcontractors andusing data centers outside of the European Economic Area.However, even German data protect ion authorities do not

completely reject cloud computing and SaaS. The guidelineprovides practical solutions that are currently considered for dataprotection specific problems and are seen by the authors of theguideline as appropriate.

5. Main Issues Pertaining to the Cloud Provider Selection

The customer must carefully select the provider and mustbe satisfied before the data processing begins (and regula rlythereafter) that the provider takes and respects appropriatetechnical and organisational measures.

In practice, that means that the user must have a look at theprovider before an agreement is signed and ascertain that theprovider is the appropriate one in order to fulfil its legal obligationto carefully select the provider. This process can be easier if theprovider fulfils the standards of a quality seal or has anoutstanding reputation.

6. Main Parts to a Contract Regarding Data Protection

6.1 FormA valid contract requires the wr itten form. In practice, this means

that the contract is signed by hand by both customer and provider,or qualified electronic signatures are used.

A possible option for concluding an onl ine contract if the strictrequirements of a qualified electronic signature are not fulfilled:Upon request, the customer receives, without undue delay, awritten contract signed by a person authorised by the provider,which is identical to the online contract. It may be clarified thatrights and obligations (for example payment of fees) arising fromthe contract remain valid even without a written contract.

6.2 Subject Matter of the Contract

The type of service must be roughly described. As far as thehandling of personal data is concerned, detailed descriptionsare needed (for example hosting, operation, maintenance and

The customer is requiredby law to carefully select the

provider.

After the contract isconcluded, the customer

must regularly check if theprovider is complying with

the necessary technical andadministrative measures.

The contract must be in

writing, concluding acontract online withqualified electronic

signatures is possible.


9/34

9

enabling online access to a certain application, data migration).With regard to parameter isation and customising, it needs to bedistinguished whether this is taking place before or after thepersonal data is entered.

When draf ting the agreement in practice, the legal obligation to

establish what data wil l be processed (section 11, paragraph 2,page 2, number 1 of the Federal Data Protection Act) is fulfil ledtogether with the obligation to stipulate the extent, the type, andthe purpose of the intended collection, processing, or use of data,the type of data and the affected persons (section 11, paragraph 2,page 2, number 1 of the Federal Data Protection Act).

As long as the functional description, or the providers generaldata protection information, shows which data, and how thisdata, is collected, processed and used within the framework ofthe part icular application, a reference may be made to thesedocuments. An individual description of the services with regardsto how the personal data is handled would be preferable howeverwith cloud offers this is often not part iculary pragmatic.A mere reference to the exist ing (and possibly customer tested)application, or to online user manuals, however, is insufficientas this can be unilaterally changed by the provider. This may beassessed differently if the particular version is explicitly notedand documented.

The following aspects should be examined closely:Clari fy ing if, and possibly how, special types of personal data,according to section 3 paragraph 9 of the Federal Data ProtectionAct, are col lected and/or used. Special types of personal data areclassified as information on race and ethnic background, political

opinion, religion and philosophical convictions, union activ ity,health or sexual life. When such data is processed advice shouldbe sought on a case by case basis.Description of third part ies, which can have access to data(through interfaces, as maintenance companies, subcontractorsetc.).Clarifiying that data can be deleted at any time at the requestof the user and how this takes place.

6.3 International Data Processing (Including Using Foreign Resourcesand Subcontractors)The Federal Data Protect ion Act privileges commissioned data

processing by inputting the data processing of the contractor tothe client and waiving the requirement of a permissive rule fortransferring data to the contractor. This beneficial exemption

If personal data isaffected, the type of servicemust be described: hosting,operation, migration ofdata?

Customising: Does thistake place before or after thetransfer of personal data?

Is personal dataprocessed? If yes, how?

What third parties haveaccess to it?

Note, that data can be

used at any time on requestof the client.


10/34

10

Guidelines

Cloud Computing


however, only applies if the service provider is based in the EU orin the EEA (section 3, paragraph 8, and page 3 of the Federal DataProtection Act). For commissioned data processing by ser viceproviders in such third countries i.e. outside the EU or the EEA or an actual processing of personal data in such a th ird country,additional requirements have to be met before a transfer of data to

such a third country can take place:

The obvious option is to use the standard contract issued by theEuropean Union, the so called standard contract clauses for dataprocessing. Even though this contract does not have the same effectas a commissioned processing of data, as defined in the FederalData Protection Act, it tr iggers the application of the samerequirements for data transfers to third country recipients as itdoes for data transfers within the EU or the EEA.

However, German data protection authorities are demanding anaddendum to this standard contract to include the contractualstipulations as required by sect ion 11, paragraph 2 of the FederalData Protection Act. This proves problematic as changes to the EUstandard contract would lead to a loss of the effect described above(according to which international transfers are subject to the samerequirements as transfers within the EU or the EEA). Theimplementation of these additional German requirements musttherefore take place in a way that merely adds them to the(unchanged) EU Standard Clauses without limiting, direct ly orindirect ly, the provisions of the standard contract. This way all therequirements would be fulfilled.

6.4 LiabilityIn the interest of the provider, the fundamental data protect ion

responsabilities (the serv ice provider is only the contractor,whereas the user is the customer and has the main responsibility,i.e. as if the customer would process the data by itself) are clarifiedin the contract and the user comits to only use the applications in away that is compliant with data protect ion laws.

In the interest of the user, the contract should clari fy that the useralone is in charge of outside communication even in cases of dataprotection security breaches and the provider, however, mustimmediately inform the user in detai l about any data protectionand/or secur ity breaches.

The provider should encourage the user to clearly communicate toany affected external parties that the user is exclusively liable forclaims raised by the affected individuals, especially if they request

Customer data can only bereadily processed by

contractors (companyaccepting the order) located

in the EU or the EEA.

The responsibilities

pertaining to data protectionmust be clearly defined in

the contract.


11/34

11

information, correct ion or deletion of their data.

According to section 3, page 2 of the Federal Data Protection Act,the provider shall inform the user immediately if the providerconsiders a customer instruction as incompliant with dataprotection regulations. This provision wil l not play a very

important part in the practice of cloud applications. The providersupplies the user with a standard application that rarely involvesspecial instructions for the user from the provider in regard tohandling personal data. However, it makes sense to clarify in thecontract that the provider, in this case, will indicate that such aviolation is taking place, however, that the provider will not carr yout legal examinations and, in doubt, will stil l have to carry outthe users instruction. Visibly illegal instr uctions must in no casebe carr ied out by the provider.

6.5 The Users Rights to ControlThe provider must grant the user control rights. That means thatthe user must have the r ight to control via the provider even onlocation how the data processing is handled and what protect ionmeasures are taken, or have such controls performed by a thirdparty. This applies to all locations where data is processed. Inpart icular, if there are several, and distant, locations, an auditperformed by a third party, such as within the framework of acertified, possibly standardised audit, would be an option.However, the data protection authorities (at least currently) aredemanding that the user at least has the right to carry outindividual audits. This should be regulated in the contractaccordingly.

Above and beyond this control r ight, the user should also demand

that the provider shall supply the data necessary for an audit andotherwise contribute appropriately to the auditing process. As arule, the audits could be limited to business hours and a priorappointment. Typically, an appropriate audit can only actua lly becarr ied out under these conditions.

Moreover, if relevant, audits carr ied out by supervisory authoritiesshould be contractual ly regulated as well.

Since this is a legal obligation to design commissioned dataprocessing contracts, it does not make sense for the provider toreject such requirements. The provider should rather offer users

appropriate standard procedures. However, the law does notstipulate that the support offered by the provider must be offered atno cost. So for a fair balance of interests, it may make sense to

The customer must reservethe right to perform checkson the contractor.


12/34

12

Guidelines

Cloud Computing


regulate that the user carries the cost for an effort that goes aboveand beyond a certain level.

6.6 Technical Organisational MeasuresA legal requirement pertaining to the content of the contract forcommissioned data processing is the stipulation of technical

organisational measures to protect the processed personal data.The attachment to section 9 of the Federal Data Protection Act laysout which aspects must be regulated.

That means, a specific security concept meeting the actualrequirements of the situat ion must be laid out in a contract thatdescribes the providers obligations. Abstract or generaldescriptions are insufficient; they must be specific to an extent thatit is made clear which measures are being taken. These measureshave to secure an appropriate level of protection, it beingunderstood that for the eva luation of the adequacy of suchprotection measures, the actual processed personal data needs tobe taken into account.

In practice the provider can create a security concept for its serv icethat is then audited by the user and thereaf ter reflected by anappropriate contractua l requirement. However, it is obvious thatwith standard SaaS or cloud offers an audit car ried out by theuser cannot result in specific user requests to be honored by theprovider. The user is obligated to check if the security conceptfulfils the data protection requirements and is in line with thesensitivity of the data before data is t ransferred to the provider.

The security concept has to be continually updated to match thetechnical development in order to maintain the level of protection.

Both user and provider are legally obligated to respectful lymainta in this level of protection.

The user must verify before the data processing has star ted, thatthe provider has taken adequate technical-organisational measuresin compliance with the Federal Data Protection Act. In the interestof both parties this can take place after the conclusion of thecontract, i.e. the final selection, as long as the audit takes placebefore the beginning of the actua l data processing. In practice thismeans that the necessary measures must have been obviouslyclarified at the conclusion of the contract.

Technical / administrativemeasures pertaining to the

protection of personal datamust be contractually and

clearly defined.


13/34

13

It is not mandatory to veri fy compliance with these requirements atthe location of the provider. This can also be achieved if theprovider produces respective certificates, audit results or providerstatements. The higher the need for data security from the point ofview of the affected individuals (to whom the data relates to), themore thorough the verification of compliance should be.

After the initial verification this process has to be repeatedregularly. This should be clarified in the contract. A specific timeschedule is not set forth in the law. The appropriate schedule forverifications of the technical and organisational safety measures istherefore to be determined according to the sensitivity of the data(from the point of view of the affected indiv iduals). In any case, averification must take place when there are doubts that theprotection measures are not being fulfilled by the serv ice provider.

Moreover, legally, it is crucial that the verification process is welldocumented. The result of the respective verification has to bedocumented by the user. What must be documented is that theverification took place and the result.

The Federal Office for Information Security (Bundesamt frSicherheit in der Informationstechnik BSI) has published a draftBSI Minimum Requirements for Cloud Computing1, lastupdated 09.27.2010. The final version will be a recommendation.However, please note that th is recommendation is not binding l ikea law. However, it wi ll have an indirect legal relevance as aminimum standard for the understanding of open terms used insection 9 of the Federal Data Protect ion Act. The developmentsmust therefore be followed closely.

6.7 Involving Subcontractors and Their ControlThe Federal Data Protection Act requires the contract forcommissioned data processing to deal with the optional right toretain subcontractors. A subcontractor would be an entityretained by the provider that cannot be excluded from accessingthe data processed for the user. A transfer of data directly to thesubcontractor is not necessary. Access by way of remote data entr yor remote data maintenance is suf ficient. Moreover, it does notmatter if the subcontractor is supposed to process the data, butrather if the subcontractor can actual ly access the data.

1 See 10.2 Cloud Computing und Compliance, page 30


14/34

14

Guidelines

Cloud Computing


The law requires only contractual rules on whether or not theprovider may retain subcontractors. However, such a simpleprovision is not in line with the users data protectionrequirements and it is also not understood in such narrow termsby the data protect ion authorities.

In practice, to satisfy both the providers and the users needs,it may be feasible to distinguish between categories ofsubcontractors. Therefore, certa in categories would requireprior approval, whilst in other categories, the involvement ofsubcontractors can take place without special approval as longas certain defined requirements are fulfilled. Regardless, thecustomer must be informed about the subcontractor and thesubcontractors activity.

The obligation to inform can be simplified if the providermainta ins an access-protected list of subcontractors online, whichthe user can view and the customer can be notified of changes tothe list by email. The list contains the name and address of thesubcontractor and a short description of the services delivered bythat subcontractor. The customer can request that the providerdisclose the terms of the contract with the subcontractor that relateto data protection.

Retaining subcontractors is only admissible if the subcontractorwarrants the same level of data protection that is agreed upon inthe contract between the user and provider. As a result, thecontracts between providers and subcontractors have to ensure thesame level of protection as the contract between providers andcustomers, especially with respect to technical and organisationalsecurity measures. The provider should ensure this in its own

interest in order not to fall into the gap between strictcommitments given to the user and less strict obligations of itssubcontractor.

When retaining subcontractors, the user should be aware that itremains l iable for the services provided by a subcontractor in thesame way as it does for its own performance.

The provider has to contractually ensure that it has the samecontrol rights in relation to the subcontractor as thosecontractually afforded to the user.

The possible hiring ofsubcontractors must becontractually defined.


15/34

15

6.8 Term and Returning DataThe term of the contract must also be specified. In th is respect,no cloud specific issues arise. There is no need for a fixed term.The contracts can run indefinitely with the option to give noticeof termination.

If the provider gives the customer data migrat ion support, theperiod of migration also belongs to the term of the commissioneddata processing relat ionship.

The contract must also provide rules with respect to thereturning of personal data upon contract termination in relationto section 11, paragraph 2, page 2, number 10 of the Federal DataProtection Act.

The two basic scenarios are the transfer of data back to the user(and subsequent deletion from the providers systems) or the meredeletion of data by the provider. The contract has to provide for anexit scenario without additional charges. Even after termination ofthe contract for the commissioned data processing, the contractshould ensure that the data is handled in a way compliant withdata protection requirements until the provider has actual lydeleted all personal data.

Already, when concluding the contract, the user should define itsrequirements for the return of data so as to enable the switch toanother service provider or reintegrat ion, e.g. requirements for ameans of transmission (for example per sftp) and data form, or ifexplanations pertaining to the data structure will be necessary.

Besides this issue which is a lso cost sensitive the provider

needs to define the point in time at which it will be able to deletethe data i f the user ceases to pay or becomes insolvent.

The contract must definethe term and must definehow data is returned.


16/34

16

Guidelines

Cloud Computing


7. Product and Industry Specific Particularities

Special requirements may arise in certain cases e.g. for customers:from the financial services industry (section 25a of the GermanBanking Act, principles of computer based bookkeeping -GoBS -,section 20 of the Payment Services Supervision Act ZAG-),

from the telecommunications sector(Telecommunications Act TKG-)who mainta in official and professional confidences (section 203German Penal Code: physicians, attorneys, life, health or casualtyinsurers),who process tax related data (sections 146, 147 of the German TaxCode AO-, the principles of data access and verifiability of digita ldocuments GDPdU-, section 41 of the German Income Tax ActEstG-).

7.1 Financial ServicesThe issues particular to the financial sector are briefly touchedupon here but cannot be reviewed in a comprehensive manner:Section 25a, subsection 1 of the German Banking Act includesgeneral business management obligations for credit institutions.Section 25a, subsection 2 of the German Banking Act defines theseobligations in more detail in cases when activities and processesessential to the carrying out of banking business, financialservices or other institut ion services are outsourced to anothercompany.

For financial institut ions in the sectors of securities, funds, andinsurances, similar regulat ions apply as regulated in section 33 ofthe German Securities Trading Act WpHG-, section 16 of theGerman Investment Act InvG-, and section 64a of the Insurance

Regulatory Act VAG-.

Therefore, each individual case must be scrutinised to see if thecloud transferred tasks and processes are essential according tosection 25a, subsection 2 of the German Bank ing Act and to see ifthey fal l under the concept of outsourcing. If that is the case, a lsopursuant to section 25a, subsection 2 of the German Banking Act,appropriate data protect ion measures must be taken as well asexcessive additional r isks avoided (for example carefully selectingthe cloud provider, monitoring the service, determining methodsfor the evaluation of the service as well as emergency planning.)


17/34

17

7.2 Telecommunications ActFrom the perspective of the data protect ion authority, the cloudservice option has other limitat ions in the telecommunicationssector. Sections 95 ff of the Telecommunications Act is based onthe principle that a transfer of personal data, user data and trafficdata is only admissible with the consent of the person concerned.

Consent from the person concerned is out of the question. Thereis the alternative of the concept of processing personal data onbehalf of others (section 11 of the German Data Protect ion ActBDSG). This, however, is limited to the EU and EEA countriesaccording to section 3, subsection 3 of the German Data Protect ionAct. Stepping over these limits is problematic in terms of cloudservices. Moreover, the argument could be made that section 92of the Telecommunications Act draws a further line by limit ingthe scope of data processed on behalf of others pursuant tosection 11 of the German Data Protection Act to renderingtelecommunications services, generating and mail ing invoicesas well as combating f raud. In legal terms it is argued whethersection 92 of the Telecommunications Act actually contains sucha delimitation as it is only supposed to clarify the areas ofapplication of section 11 of the German Data Protection Act.

7.3 Accounting ObligationWhen tax related data is used by cloud providers, sections 146 ffof the German Tax Code must be considered. Section 146 of theGerman Tax Code says that tax related books and notations mustalways be maintained and kept in the origina l inside the country.The relocation to a foreign cloud has previously only been possibleas an exception on the basis of approved facilitation pursuant tosection 148 of the German Tax Code or by virtue of toleranceshown by pragmatic fiscal authorities.

In the past, however, both scenarios have been handled by thelocal fiscal authorities in very di fferent ways. That changed on01.01.2009. According to subsection 2a added to section 146 ofthe German Tax Code on 01.01.2009, the relevant fiscal authority,upon request, can approve electronic bookkeeping to be done inan EU member state or in an EEA member state by way of anadministrative assistance agreement if the foreign fiscal authorityhas given its consent and if the German fiscal authority is grantedaccess pursuant to section 147, subsection 6 of the German TaxCode. However, what remains to be seen is if the new regulationhas improved the situation. On one hand, as expected, the first

mentioned prerequisite created problems in practice. On the otherhand, the regulation represents a solution for cloud services onlyfor clouds inside the EU/EEA.


18/34

18

Guidelines

Cloud Computing


In view of the explicit regulation in sect ion 146, subsection 2a ofthe German Tax Code, the question arises whether the solutionspreviously used in practice (facilitation according to section 148of the German Tax Code, tolerance see above- ) will remain anoption, or if the fiscal authorities wi ll see sect ion 146, subsection2a of the German Tax Code as a final specia l provision and if that

will hinder global clouds.

At any rate, the obligation to show and keep detailed operationdocumentation available at all times pursuant to section 147 of theGerman Tax Code remains.

The problem arising in th is context is the actual avai lability ofdata. Regulat ions for audits should therefore be agreed upon withthe cloud provider.

7.4 Legal Obligation to Keep Records Under Commercial LawAccording to the Code of Commercial Law (HGB) every businessmust keep records of transact ions for a period of ten yearspursuant to section 238, subsection 1 of the Code of CommercialLaw. This is also possible in an electronic format on data storagedevices and in clouds pursuant to section 257, subsect ion 3, of theCode of Commercial Law (HGB). Under commercial law there is noobligation to keep records inside the countr y. According to section257, subsection 3, number 2 of the Code of Commercial law,however, the electronic records must be made available for readingwithin a reasonable time period.

7.5 Persons Subject to Official and Professional ConfidencesIn sectors with specia l obligations of secrecy pursuant to section203 of the German Penal Code (for example in the sector of legal

counsel, in the health sector, health, casualty and life insurance)the admissibility (and therefore culpability) of outsourcing to thirdpart ies, for example cloud providers, is controversial. The centra lstarting point for admissibility is the interpretation of theassistant concept in section 203, subsection 3, page 2 of theGerman Penal Code since a transfer without the consent of the datasubjects is (only) admissible to assistants.


19/34

19

According to the traditional interpretation such assistants are notpeople who are self employed. Therefore, cloud computing in thesense of section 203 of the German Penal Code could hardly bepossible. It would be more appropriate not to define an assistant bythe self employed characteristic but rather to establish i f theperson/entity holding the primar y obligation of secrecy maintains

control over the provided data. The criteria of section 11 of theData Protection Act could be evaluated for this purpose. Thatintegrates the third party into the scope of informational self-determination and can be v iewed as someone who is part of thecircle of people privy to information. Prohibiting such anoutsourcing is therefore not advisable when the strict cr iteria ofsection 11 of the Data Protection Act are respected before theprotection of section 203 of the German Penal Code. However, it isnot yet clear if the admissibility is legal ly binding.


20/34

20

Guidelines

Cloud Computing


8. Checklist Law & Compliance

Following the EuroCloud SaaS Quality Seal, the most importantquestions pertaining to the contract format are listed. Providersreviewed, according to these guidelines, fulfil the basic requirements

necessary to of fer cloud serv ices in conformity w ith the law.

Currently there are already a variety of professional and securesolutions. The quality seal wil l offer providers the important helpnecessary to win the trust of users with fair terms.There must be a clear disassociation from providers who take the bareminimum route as the user can only find out about the real deficits withgreat effort and, in the worst case scenario, only after things haveescalated.

The following categories are targeted by the quality seal:

Provider ProfileContract and ComplianceSecurityInfrastructure OperationsOperationsApplicationImplementation

A prov ider can achieve qualit y levels f rom one to five stars v ia apoints system and minimum criteria.

As opposed to other init iatives, whereby on ly parts of the wholepicture are taken into considerations or the information provided

is not cross checked and is seen as voluntary, the SaaS Quality Sealis granted only af ter the provided information has been validatedand the validation repeated at agreed upon time intervals in orderto have concrete proof of the validity of the informat ion. Moreover,the providers make a commitment to immediately report significantchanges to the f ramework conditions (for example place of servicerendered, changes to subcontractor agreements) as well as criticalincidents.

The SaaS Quality Seal will be officially awarded starting at thebeginning of 2011 and a number of providers are currentlypreparing for the certification.


21/34

21

8.1 Conclusion of the Contract and Contract FormatHow is the contract concluded?

Online In written form

Can the customer insist on a writ ten contract?8.2 Effect for Subcontractor

Did the provider commit the subcontractor to the same obligationsthat the provider has to the user?

8.3 BillingIs the use of serv ices billed at a flat rate t ime-dependent?

Is the use of serv ices billed on consumption calculated?Are there quantity discounts/different prices depending on theamount of used serv ices?Can the provider change their prices in cases when the usagevolume changes significant ly?Is there a best price option?

Is an optional flat rate or per user flat rate of fered?

Are there specia l ser vices bi lled separately?

If yes, which

8.4 Performance DisruptionsProvider or Subcontractor Performance Disruptions

Are damages regulated in case of performance disruptions?

Disagreements Over Performance / Payment DefaultIs a right to user data retention or performance refusa lcontractually excluded?In case of disagreements over performance or payment default,is it excluded that the provider delete the data without the userspermission?

8.5 Contract TerminationWhich periods of notice are defined for the provider and the user?

Is there a non-exhaustive lis t of possible termination reasons?


22/34

22

Guidelines

Cloud Computing


Is termination for an important reason possible?If yes, for who?

User Provider

Why?

Subcontractors contractually regulated?

Does the user have a special termination right if the providerswitches important subcontractors?

Are there rules pertaining to the part icipation of the user in theprocess of data provision after the termination of the contract?

8.6 Provider InsolvencyAre there rules in place to protect the user data and the availabilit yof the application in case of provider insolvency?

Source Code Deposit?Is the software bound to a certain platform?Does the user have a right to demand the last data backup anddocumentation?

8.7 ComplianceGDPdU2 (Principles of Data Access and Verifiability of DigitalRecords) Relevance

Are applications operated as SaaS bound to GDPdU (Principlesof data access and verifiability of digital records)?

a) Does the application include the processing of electronicbilling?

b) Within the scope of the application, is there data that is

processed that flows directly into the accounting of theprovider?

GDPdU (Principles of Data Access and Verifiability of DigitalRecords) Ability

If applications are operated as SaaS bound to GDPdU:are the users obligations towards the tax authority supported bythe provider?

If a): Are the guidelines regarding the signature va lidationand billing storage transcribed in the original and in thein-house format?If b): does the application offer the option of data access in all

three prescribed types of access (Z1, Z2, Z3)?

2 Grundstze zum Datenzugriff und zur Prfbarkeit digitaler Unterlagen


23/34

23

If b): does the role concept of the application offer an auditorrole who has been assigned the read access of the outsideauditor?If b): is the tax relevant data identified within the application?For a) or b) Does the provider deliver adequate procedure

documentation?For a) or b) AND when an archiv ing system is used for ageddata: Does the archiv ing system have the same access andprocessing options as the productive system?

Data Protect ion RelevanceIs personal data in the sense of the Federal Data Protect ion Actprocessed within the application?

ONLY IF YES, please answer the following questions.

Please note that the term personal data as worded in the FederalData Protect ion Act i s very broad. All data that is related to aperson (ident ifying data) or data that can be used by the user,provider or a third party to identi fy a person i s data defined by thepoint of view of the data protection authority as personal data.In practice, there are only very few IT and cloud applicationsprocessing data that is, at least partially personally identifying.

Data Protection OrganisationDoes the provider have a data protection officer who is avai lableto the user as a contact person regarding a ll data protectionissues pertain ing to the provider and his subcontractors?Are the employees of the provider obligated to maintain dataconfidential ity according to sect ion 5 of the Federal Data

Protection Act?Has it been sett led who will be the contact person for the userscustomers pertaining to data protection?

Are rules defined as far as the correction, deletion andblocking of data where the request of an affected par ty isconcerned?

Provider and Subcontractor SelectionDoes the provider offer sufficient information about hiscompanies and subcontractors in order to enable the user tomake an informed provider selection according to section 11,page 1 of the Federal Data Protect ion Act?Are the names of the subcontractors disclosed?


24/34

24

Guidelines

Cloud Computing


Level of Data ProtectionIf relevant, is there an adequate level of data protection outsidethe EU pertaining to participating subcontractors, for examplethrough an EU standard contract or safe harbor regulation?Does the option exist to l imit the locations of data storage to

Germany or the EU, and if so, is it dictated by legal or authorityrequirements?

Commissioning and Right to Give InstructionsAre the responsibilities between provider (fundamental dataprotection responsibility) and user (implementation ofinstructions, technical protection measures) clearly defined?Is the scope of the data processing order sufficiently and clearlyspecified? In particular:

Is the serv ice described in broad terms? Does the descriptiondocument the scope, time and purpose ofthe intended collection, processing or usage of data,the type of data and the circle of affected par ties?Is the duration of processing and the deletion of data exactlydefined?Is a provider scope in decision making pertaining todata processing excluded?Is it documented if, when and how special types of data,with regards to section 3 of the Federal Data Protection Act,are collected, processed or used?

Is the users right to give instruct ions clearly defined?

CommunicationIs a ru le of communication established in case the usersinstructions violate data protection from the point of view of the

provider?Is it defined what situations have to be reported to the providere. g. personal data protection v iolations caused bythe user or his employees or violations of the agreement?

The Implementation of Technical and Organisational DataProtection Measures

Does a documentation concept exist to implement technical andorganisational measures as required by the addendum of section9 of the Federal Data Protect ion Act?Does the user have to agree to th is concept and possible changesto the concept?


25/34

25

Options for the User to Exercise ControlAre there any rules pertaining to control rights of the user and tothe respective tolerance and part icipation obligations of theprovider, especially:

Have a users control rights, and / or the control rights of a

third party commissioned by the user, been expressly agreedupon at the location of the provider or one of hissubcontractors?Are there (cumulative or as an alternat ive to user controls)regular controls/audits and cert ifications in place that controland certi fy the providers data protect ion obligations to theuser?Is there a regulation pertaining to the participation of theprovider and the connected cost?

Data Deletion at the End of the ContractAre there rules in place pertaining to the deletion of data and thereturning of data after the termination of the contract?

Is it warranted that the data is actual ly deleted when the userrequests it?


26/34

26

Guidelines

Cloud Computing


9. Cloud Computing Glossary

Cloud ComputingCloud computing is a model for enabling convenient, on-demandnetwork access to a shared pool of configurable computing

resources (e.g. networks, ser vers, storage, applications, andservices) that can be rapidly provisioned and released withminimal management effort or service provider interaction.(Definition: NIST; National Institute of Standards and Technology,USA).

The dif ferent elements of cloud computing are of ten depicted withthe help of the SPI model which illustrates the three service levels,infrastructure, platform and software:

The levels are built on each other however the lower levels can beused independently.

Public CloudIT-services are offered by the cloud provider and can be used byanyone over the Internet.

Private CloudIT-services are drawn f rom ones own computer center. All servicesand infrastructure are under the control of an institution. Thecloud may be managed by a third party. The services are accessedeither over the Internet or over a VPN (Virtual Private Network).

Hybrid Cloud

A mix between a public cloud and a private cloud.


27/34

27

Federated CloudHybrid cloud with special security technology from trustworthyservice providers in the area of identification and encryption.

Infrastructure as a Service

Providing computing and storage capacity as a service.

Platform as a ServiceProviding middleware as a service

Software as a ServiceProviding applications as a serv ice.

X as a ServiceProviding additional functions such as business operations,networks, communication and others as a serv ice.


28/34

28

Guidelines

Cloud Computing


10. Sources

Legal TopicsWeichert, Cloud Computing und Datenschutz, DuD 2010, 679, 679

Niemann/Paul, Bewlkt oder wolkenlos rechtliche

Herausforderungen des Cloud-Computing, K&R 2009, 444

Niemann/Hennrich, Kontrollen in den Wolken?Auftragsdatenverarbeitung in Zeiten des Cloud Comput ings, CR2010, 686

Niemann, Cloud Computing & Recht, Deutscher Anwaltsspiegel,Ausgabe 08/2010, 14

Bierekoven, ITRB 2010, 42

Pohle/Ammann, CR 2009, 273

Bergmann/Mhrle/Herb, Datenschutzrecht, 40.Ergnzungslieferung November 2009, 11 BDSG, Rn. 15a

Cloud Computing und ComplianceENISA Cloud Computing Risk Assessment:http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

BSI Eckpunktepapier Cloud Computing:https://www.bsi.bund.de/ContentBSI/Presse/Pressemitteilungen/Cloud_Computing_28092010.html

Order Data ProcessingIt is advised to have a special privacy policy to accompany thecontractual arrangements. A similar template is available fromthe company for Gesellschaft fr Datensicherheit und Datenschutze. V. (Data Security and Privacy e. V.):

https://www.gdd.de/nachrichten/news/neues-gdd-muster-zur -auftragsdatenverarbeitung-gemas-a7-11-bdsg


29/34

29

11. Legal Notice

1. GeneralThe information provided in this guideline is meant to illustratethe legal frame conditions for cloud computing, but it is not to beregarded as legal counsel and cannot replace legal counsel as such

counsel requires knowledge of all particulars especially theparticulars of each individual case.

2. Guideline ContentsThe publisher/the authors assume no liability for the providedinformation to be complete, correct or up to date. This part icularlyapplies to developments pertaining to jurisdiction or legislativechanges. Liability claims against the publisher/authors pertainingto material or non-material damage arising from the use or disuseof the provided information or arising from the use of erroneousand incomplete information are excluded unless the publisher/authors have verifiably acted deliberately and grossly negligent.

3. Notices and LinksFor direct or indirect references to content derived from othersources such as links that are outside the area of responsibility ofthe publisher/the authors, liability would exist exclusively in thecase that the publisher/the authors have knowledge of the contentsand it is technically possible and reasonable to prevent the usage ifthe content is il legal. The publisher/the authors hereby declare thatat the time of linking there were no visible illegal contents on thepages to be l inked. The publisher/the authors have no influenceover the current or future format, contents or copyrights of thelinked pages. They expressly disassociate themselves from allcontents on all linked pages that were changed after the links were

added. The provider of the linked page alone is liable for illegal,erroneous or incomplete contents and especially for damagearising from the use or disuse of such information; the partymerely referencing to a publication by adding a link is not liable.


30/34

30

Guidelines

Cloud Computing


4. CopyrightThe copyrights of contents illustrated on th is website such as texts,graphics or pictures are protected under the German copyrightlaw. Any use prohibited under copyright laws requires the priorapproval of the publisher. Third party segments are marked assuch. This pertains particularly to copying, processing,reproducing contents in data bases or other electronic media.

Unauthorised copying or disclosing individual parts of theguideline or the entire guideline is prohibited. The exception is theindividual/private use; the private use does not include the right tocirculate to third par ties. The same applies to publications andother work.


31/34

31

12. Authors

Attorney Dr. Jens EckhardtJUCONOMY Lawyers,Dusseldorf

Rdiger GiebichensteinKPMG AG Accountancy Firm,Cologne

Attorney Dr. Thomas HelbingHelbing Law Firm, Munich

Attorney Dr. Marc Hilber LL.MPartner Oppenhoff & Par tner,Cologne

Attorney Dr. Fabian NiemannPartner Bird & Bird LLP,Frankfurt

Andreas WeissDirector EuroCloudDeutschland_eco e. V.


32/34

32

Guidelines

Cloud Computing


Notes


33/34

33


34/34

EuroCloud Deutschland_eco e. V.Lichtstrasse 43h50825 CologneGermany

Tel.: +49(0)221 / 70 00 48 0Fax: +49(0)221 / 70 00 48 111

E-Mail: [email protected]: www.eurocloud.de

Documents

EuroCloud Guideline Law DP C