Data protection when using cloud services: what startups need to know

Cloud services offer start-ups numerous advantages such as flexibility, scalability and cost efficiency. However, the use of cloud services also entails considerable data protection challenges. This article highlights the most important aspects of data protection law that startups need to consider when using cloud services.

Legal framework

Data protection when using cloud services is primarily regulated by the General Data Protection Regulation (GDPR). Central aspects are:

1. Lawfulness of the data processing (Art. 6 GDPR)
2. Order processing (Art. 28 GDPR)
3. Technical and organizational measures (Art. 32 GDPR)
4. International data transfers (Art. 44 et seq. GDPR)

Responsibilities when using the cloud

When using cloud services, the startup is usually the controller within the meaning of the GDPR, while the cloud provider acts as a processor. This has important consequences:

1. The startup remains responsible for compliance with data protection regulations.
2. A data processing agreement (DPA) must be concluded with the cloud provider.
3. The startup must monitor the cloud provider’s compliance with data protection regulations.

Data processing agreement (DPA)

The DPA is a central element in the data protection-compliant use of cloud services. It must regulate the following points in accordance with Art. 28 para. 3 GDPR:

1. Object and duration of processing
2. Nature and purpose of processing
3. Type of personal data and categories of data subjects
4. Obligations and rights of the controller
5. The processor is bound by instructions
6. Obligation of confidentiality
7. Technical and organizational measures
8. Regulations to support the person responsible
9. Dealing with sub-processors
10. Deletion or return of data after the end of processing

Many cloud providers make standardized AVVs available. These should be checked carefully and adapted if necessary.

Technical and organizational measures

Startups must ensure that the cloud provider has implemented appropriate technical and organizational measures (TOMs) to ensure a level of protection appropriate to the risk. Important aspects are:

1. Encryption: both during transmission and when storing the data
2. Access control: Strict regulations and procedures for accessing data
3. Availability control: Measures to ensure the availability of data
4. Separation control: Separate processing of data from different clients
5. Pseudonymization: Where possible, data should be pseudonymized

Startups should carefully check and document the cloud provider’s TOMs.

International data transfers

Many cloud providers store or process data outside the EU. This is particularly relevant under data protection law:

1. Adequacy decision: If the EU Commission has issued an adequacy decision for the destination country (e.g. for the United Kingdom), the data transfer is generally permitted.
2. Standard contractual clauses: In many cases, the standard contractual clauses provided by the EU Commission are used to enable legally compliant data transfer.
3. Binding Corporate Rules: Approved binding internal data protection regulations can be a solution for intra-group transfers.
4. Additional measures: Following the ECJ’s Schrems II ruling, additional measures often need to be taken to ensure an adequate level of protection.

Startups should be particularly careful when using cloud services that transfer data to countries without an adequate level of data protection.

Special challenges for start-ups

1. Resource constraints: Many startups do not have dedicated data protection experts. However, it is important to provide sufficient resources for data protection.
2. Rapid growth: Data protection measures must be scaled accordingly when a company grows rapidly.
3. Flexibility vs. compliance: The need to act quickly and flexibly must not come at the expense of data protection compliance.
4. International expansion: When expanding into new markets, local data protection regulations must be taken into account.

Practical tips for start-ups

1. Due diligence: Conduct a thorough review of potential cloud providers, particularly with regard to their data protection practices and certifications.
2. Data protection impact assessment: For high-risk processing operations, carry out a data protection impact assessment in accordance with Art. 35 GDPR.
3. Documentation: Carefully document all decisions and measures in connection with the use of cloud services.
4. Encryption: Where possible, use end-to-end encryption to provide additional data protection.
5. Data economy: Think critically about which data actually needs to be outsourced to the cloud.
6. Contingency plan: Develop a plan in the event of a data protection incident or insolvency of the cloud provider.
7. Regular review: Regularly check compliance with data protection regulations and that your measures are up to date.
8. Training courses: Train your employees regularly in data protection issues, especially in dealing with cloud services.

The use of cloud services offers start-ups enormous opportunities, but also requires careful consideration of data protection aspects. A proactive approach to data protection can not only minimize legal risks, but also strengthen the trust of customers and partners. By implementing robust data protection practices, startups can reap the benefits of cloud services without neglecting compliance. Given the complexity of the issue and the potentially serious consequences of non-compliance, it is advisable for startups to seek expert legal support when implementing cloud solutions. A specialist data protection lawyer can help develop tailor-made solutions that meet both business requirements and legal requirements.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.