• Areas of expertise
  • |
  • About me
  • |
  • Principles as a lawyer
  • Tel: 03322 5078053
  • |
  • info@itmedialaw.com
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Data protection Law

Data protection when using cloud services

10. October 2024
in Data protection Law
Reading Time: 4 mins read
0 0
A A
0
Data protection when using cloud services: what startups need to know
Key Facts
  • Cloud services offer flexibility, scalability and cost efficiency, but also pose data protection challenges.
  • The legal framework for cloud use is defined by the GDPR, in particular by Art. 6, 28, 32, 44 et seq.
  • Startups are generally responsible for complying with data protection regulations and must conclude a DPA.
  • The DPA regulates key points such as processing, data protection obligations and confidentiality.
  • International data transfers require special attention in order to guarantee protection standards.
  • Startups should carry out due diligence and document data protection compliance measures.
  • A proactive data protection culture strengthens the trust of customers and partners and minimizes legal risks.

Cloud services offer start-ups numerous advantages such as flexibility, scalability and cost efficiency. However, the use of cloud services also entails considerable data protection challenges. This article highlights the most important aspects of data protection law that startups need to consider when using cloud services.

Content Hide
1. Legal framework
2. Responsibilities when using the cloud
3. Data processing agreement (DPA)
4. Technical and organizational measures
5. International data transfers
6. Special challenges for start-ups
7. Practical tips for start-ups

Legal framework

Data protection when using cloud services is primarily regulated by the General Data Protection Regulation (GDPR). Central aspects are:

  1. Lawfulness of the data processing (Art. 6 GDPR)
  2. Order processing (Art. 28 GDPR)
  3. Technical and organizational measures (Art. 32 GDPR)
  4. International data transfers (Art. 44 et seq. GDPR)

Responsibilities when using the cloud

When using cloud services, the startup is usually the controller within the meaning of the GDPR, while the cloud provider acts as a processor. This has important consequences:

  1. The startup remains responsible for compliance with data protection regulations.
  2. A data processing agreement (DPA) must be concluded with the cloud provider.
  3. The startup must monitor the cloud provider’s compliance with data protection regulations.

Data processing agreement (DPA)

The DPA is a central element in the data protection-compliant use of cloud services. It must regulate the following points in accordance with Art. 28 para. 3 GDPR:

  1. Object and duration of processing
  2. Nature and purpose of processing
  3. Type of personal data and categories of data subjects
  4. Obligations and rights of the controller
  5. The processor is bound by instructions
  6. Obligation of confidentiality
  7. Technical and organizational measures
  8. Regulations to support the person responsible
  9. Dealing with sub-processors
  10. Deletion or return of data after the end of processing

Many cloud providers make standardized AVVs available. These should be checked carefully and adapted if necessary.

Technical and organizational measures

Startups must ensure that the cloud provider has implemented appropriate technical and organizational measures (TOMs) to ensure a level of protection appropriate to the risk. Important aspects are:

  1. Encryption: both during transmission and when storing the data
  2. Access control: Strict regulations and procedures for accessing data
  3. Availability control: Measures to ensure the availability of data
  4. Separation control: Separate processing of data from different clients
  5. Pseudonymization: Where possible, data should be pseudonymized

Startups should carefully check and document the cloud provider’s TOMs.

International data transfers

Many cloud providers store or process data outside the EU. This is particularly relevant under data protection law:

  1. Adequacy decision: If the EU Commission has issued an adequacy decision for the destination country (e.g. for the United Kingdom), the data transfer is generally permitted.
  2. Standard contractual clauses: In many cases, the standard contractual clauses provided by the EU Commission are used to enable legally compliant data transfer.
  3. Binding Corporate Rules: Approved binding internal data protection regulations can be a solution for intra-group transfers.
  4. Additional measures: Following the ECJ’s Schrems II ruling, additional measures often need to be taken to ensure an adequate level of protection.

Startups should be particularly careful when using cloud services that transfer data to countries without an adequate level of data protection.

Special challenges for start-ups

  1. Resource constraints: Many startups do not have dedicated data protection experts. However, it is important to provide sufficient resources for data protection.
  2. Rapid growth: Data protection measures must be scaled accordingly when a company grows rapidly.
  3. Flexibility vs. compliance: The need to act quickly and flexibly must not come at the expense of data protection compliance.
  4. International expansion: When expanding into new markets, local data protection regulations must be taken into account.

Practical tips for start-ups

  1. Due diligence: Conduct a thorough review of potential cloud providers, particularly with regard to their data protection practices and certifications.
  2. Data protection impact assessment: For high-risk processing operations, carry out a data protection impact assessment in accordance with Art. 35 GDPR.
  3. Documentation: Carefully document all decisions and measures in connection with the use of cloud services.
  4. Encryption: Where possible, use end-to-end encryption to provide additional data protection.
  5. Data economy: Think critically about which data actually needs to be outsourced to the cloud.
  6. Contingency plan: Develop a plan in the event of a data protection incident or insolvency of the cloud provider.
  7. Regular review: Regularly check compliance with data protection regulations and that your measures are up to date.
  8. Training courses: Train your employees regularly in data protection issues, especially in dealing with cloud services.

The use of cloud services offers start-ups enormous opportunities, but also requires careful consideration of data protection aspects. A proactive approach to data protection can not only minimize legal risks, but also strengthen the trust of customers and partners. By implementing robust data protection practices, startups can reap the benefits of cloud services without neglecting compliance.

Given the complexity of the issue and the potentially serious consequences of non-compliance, it is advisable for start-ups to seek expert legal support when implementing cloud solutions. A specialist data protection lawyer can help develop tailor-made solutions that meet both business requirements and legal requirements.

Tags: ComplianceEmployeesEntscheidungenEuGDPRGeneral Data Protection RegulationGrowthInsolvencyJudgmentPrivacyRiskStandard contractual clausesStartups

Beliebte Beträge

Legally compliant archiving of emails: legal requirements and practical implementation

Legally compliant archiving of emails: legal requirements and practical implementation
14. March 2025

It is impossible to imagine modern corporate communication without e-mail. It is not only used for the rapid exchange of...

Read moreDetails

Risks when hosting personal data on US cloud servers

Risks when hosting personal data on US cloud servers
18. February 2025

Hosting personal data on cloud servers from US providers poses significant risks for European companies, particularly with regard to compliance...

Read moreDetails

SaaS contract for marketing tools

da785cff1bca5b6897d0d4cacf7359ff
15. November 2024

When I helped set up CPMStar, one of the first major gaming marketing agencies in Germany, a few years ago,...

Read moreDetails

BGH ruling on damages for data protection breaches

BGH: Women also gamble on first-person shooters
8. December 2024

The ruling by the German Federal Court of Justice (BGH) on November 18, 2024 has put an abrupt end to...

Read moreDetails

New cookie regulation: a step towards simplifying digital consent?

Esport: Sports Committee of the BT meets Wednesday
8. December 2024

On September 4, 2024, the Federal Government adopted the Consent Management Ordinance (EinwV). This new ordinance is based on Section...

Read moreDetails

Multi-tenant architectures in the SaaS sector: data separation and compliance requirements

6e405ef66c83bf9de2066fb73a1deafc
9. November 2024

Multi-tenant architectures are the backbone of modern SaaS solutions, as they enable efficient use of resources and scalability. However, they...

Read moreDetails

Federal Court of Justice plans landmark decision on Facebook data scandal

BGH considers Uber Black to be anti-competitive
9. November 2024

The Federal Court of Justice (BGH) has announced that it intends to issue a landmark ruling in the form of...

Read moreDetails

Legally compliant integration of biometric authentication systems: Data protection and security requirements for FinTech start-ups

Legally compliant integration of biometric authentication systems: Data protection and security requirements for FinTech start-ups
21. October 2024

Biometric authentication systems are revolutionizing the way FinTech start-ups ensure security and user-friendliness. However, the integration of this technology also...

Read moreDetails

Legally compliant integration of biometric authentication systems: Data protection and security requirements for FinTech start-ups

Legally compliant integration of biometric authentication systems: Data protection and security requirements for FinTech start-ups
21. October 2024

Biometric authentication systems are revolutionizing the way FinTech start-ups ensure security and user-friendliness. However, the integration of this technology also...

Read moreDetails

5.0 60 reviews

  • Avatar Lennart Korte ★★★★★ vor 2 Monaten
    Ich kann Herrn Härtel als Anwalt absolut weiterempfehlen! Sein Service ist erstklassig – schnelle Antwortzeiten, effiziente … Mehr Arbeit und dabei sehr kostengünstig, was für Startups besonders wichtig ist. Er hat für mein Startup einen Vertrag erstellt, und ich bin von seiner professionellen und zuverlässigen Arbeit überzeugt. Klare Empfehlung!
  • Avatar R.H. ★★★★★ vor 3 Monaten
    Ich kann Hr. Härtel nur empfehlen! Er hat mich bei einem Betrugsversuch einer Krypto Börse rechtlich vertreten. Ich bin sehr … Mehr zufrieden mit seiner engagierten Arbeit gewesen. Ich wurde von Anfang an kompetent, fair und absolut transparent beraten. Trotz eines zähen Verfahrens und einer großen Börse als Gegner, habe ich mich immer sicher und zuversichtlich gefühlt. Auch die Schnelligkeit und die sehr gute Erreichbarkeit möchte ich an der Stelle hoch loben und nochmal meinen herzlichsten Dank aussprechen! Daumen hoch mit 10 Sternen!
  • Avatar P! Galerie ★★★★★ vor 4 Monaten
    Herr Härtel hat uns äusserst kompetent in einen lästigen Fall mit META betreut. Er war effizient, beharrlich, aber auch mit … Mehr uns geduldig. Menschlich top, bis wir am Ende Dank ihm erfolgreich zum Ziel gekommen sind. Können wir wärmstens empfehlen. Und nochmals danke. P.H.
  • Avatar Philip Lucas ★★★★★ vor 8 Monaten
    Wir haben Herrn Härtel für unser Unternehmen konsultiert und sind äußerst zufrieden mit seiner Arbeit. Von Anfang an hat … Mehr er einen überaus kompetenten Eindruck gemacht und sich als ein sehr angenehmer Gesprächspartner erwiesen. Seine fachliche Expertise und seine verständliche und zugängliche Art im Umgang mit komplexen Themen haben uns überzeugt. Wir freuen uns auf eine langfristige und erfolgreiche Zusammenarbeit!
  • Avatar Mosaic Mask Studio ★★★★★ vor 5 Monaten
    Die Kanzlei ist immer ein verlässlicher Partner bei der Sichtung und Bearbeitung von Verträgen in der IT Branche. Es ist … Mehr stets ein professioneller Austausch auf Augenhöhe.
    Die Ergebnisse sind auf hohem Niveau und haben die interessen unsers Unternehmens immer bestmöglich wiedergespiegelt.
    Vielen Dank für die sehr gute Zusammenarbeit.
  • Avatar Mikael Hällgren ★★★★★ vor einem Monat
    I got fantastic support from Marian Härtel. He managed to get my wrongfully suspended Instagram account restored. He was … Mehr incredibly helpful the whole way until the positive outcome. Highly recommended!
  • Avatar Doris H. ★★★★★ vor 10 Monaten
    Herr Härtel hat uns bezüglich eines Telefonvertrags beraten und vertreten. Wir waren mit seinem Service sehr zufrieden. Er … Mehr hat stets schnell auf unsere E-mails und Anrufe reagiert und den Sachverhalt einfach und verständlich erklärt. Wir würden Herrn Härtel jederzeit wieder beauftragen.Vielen Dank für die hervorragende Unterstützung
  • Avatar Philipp Skaar ★★★★★ vor 8 Monaten
    Als kleines inhabergeführtes Hotel sehen wir uns ab und dann (bei sonst weit über dem Durchschnitt liegenden Bewertungen) … Mehr der Herausforderung von aus der Anonymität heraus agierenden "Netz-Querulanten" gegenüber gestellt. Herr Härtel versteht es außerordentlich spür- und feinsinnig, derartige - oftmals auf Rufschädigung ausgerichtete - Bewertungen bereits im Keim, also außergerichtlich, zu ersticken und somit unseren Betrieb vor weiteren Folgeschäden zu bewahren. Seine Umsetzungsgeschwindigkeit ist beeindruckend, seine bisherige Erfolgsquote = 100%.Ergo: Unsere erste Adresse zur Abwehr von geschäftsschädigenden Angriffen aus dem Web.
  • ●
  • ●
  • ●
  • ●

Video-Galerie

When does a dual holding structure make sense?
When does a dual holding structure make sense?
OnlyFans management: legal pitfalls and solutions
OnlyFans management: legal pitfalls and solutions
My principles as a lawyer
My principles as a lawyer
BGH considers Uber Black to be anti-competitive

Federal Court of Justice (BGH)

25. June 2023

Introduction The Federal Court of Justice (BGH) is the highest court of the Federal Republic of Germany in the area...

Read moreDetails
Escrow agreement

Escrow agreement

16. October 2024
Right to data portability

Right to data portability

16. October 2024
Legal challenges when implementing confidential computing: data protection and encryption in the cloud

Order processing contract (AV contract)

11. April 2025
Key Man Clause

Key Man Clause

16. October 2024

Podcast Folgen

Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

25. September 2024

In dieser fesselnden Episode meines IT-Medialaw Podcasts teile ich, Marian Härtel, meine persönliche Reise als leidenschaftlicher IT-Rechtsanwalt. Ich erzähle von...

Rechtliche Risiken bei langen Entwicklungszeiten und der Stornierung von Crowdfundingspielen

Rechtliche Risiken bei langen Entwicklungszeiten und der Stornierung von Crowdfundingspielen

20. April 2025

In dieser Episode erörtern wir die rechtlichen Herausforderungen, denen Spieleentwickler bei der Finanzierung durch Crowdfunding gegenüberstehen. Wir beleuchten die Verpflichtungen...

Rechtliche Herausforderungen innovativer Geschäftsmodelle

Rechtliche Herausforderungen innovativer Geschäftsmodelle

26. September 2024

In dieser fesselnden Podcast-Episode tauche ich als IT- und Medienrechtsanwalt tief in die Welt der rechtlichen Herausforderungen ein, die mit...

8315f1ef298eb54dfeed2f5e55c8b9da 1

Erste Testfolge des ITMediaLaw Podcast

26. August 2024

Erste TestfolgeLiebe Leserinnen und Leser,ich freue mich, heute den ersten Testlauf unseres brandneuen IT Media Law Podcasts zu präsentieren! In diesem Podcast...

  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung