• Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Data protection Law

Data protection when using cloud services

10. October 2024
in Data protection Law
Reading Time: 4 mins read
0 0
A A
0
Data protection when using cloud services: what startups need to know
Key Facts
  • Cloud services offer flexibility, scalability and cost efficiency, but also pose data protection challenges.
  • The legal framework for cloud use is defined by the GDPR, in particular by Art. 6, 28, 32, 44 et seq.
  • Startups are generally responsible for complying with data protection regulations and must conclude a DPA.
  • The DPA regulates key points such as processing, data protection obligations and confidentiality.
  • International data transfers require special attention in order to guarantee protection standards.
  • Startups should carry out due diligence and document data protection compliance measures.
  • A proactive data protection culture strengthens the trust of customers and partners and minimizes legal risks.

Cloud services offer start-ups numerous advantages such as flexibility, scalability and cost efficiency. However, the use of cloud services also entails considerable data protection challenges. This article highlights the most important aspects of data protection law that startups need to consider when using cloud services.

Content Hide
1. Legal framework
2. Responsibilities when using the cloud
3. Data processing agreement (DPA)
4. Technical and organizational measures
5. International data transfers
6. Special challenges for start-ups
7. Practical tips for start-ups

Legal framework

Data protection when using cloud services is primarily regulated by the General Data Protection Regulation (GDPR). Central aspects are:

  1. Lawfulness of the data processing (Art. 6 GDPR)
  2. Order processing (Art. 28 GDPR)
  3. Technical and organizational measures (Art. 32 GDPR)
  4. International data transfers (Art. 44 et seq. GDPR)

Responsibilities when using the cloud

When using cloud services, the startup is usually the controller within the meaning of the GDPR, while the cloud provider acts as a processor. This has important consequences:

  1. The startup remains responsible for compliance with data protection regulations.
  2. A data processing agreement (DPA) must be concluded with the cloud provider.
  3. The startup must monitor the cloud provider’s compliance with data protection regulations.

Data processing agreement (DPA)

The DPA is a central element in the data protection-compliant use of cloud services. It must regulate the following points in accordance with Art. 28 para. 3 GDPR:

  1. Object and duration of processing
  2. Nature and purpose of processing
  3. Type of personal data and categories of data subjects
  4. Obligations and rights of the controller
  5. The processor is bound by instructions
  6. Obligation of confidentiality
  7. Technical and organizational measures
  8. Regulations to support the person responsible
  9. Dealing with sub-processors
  10. Deletion or return of data after the end of processing

Many cloud providers make standardized AVVs available. These should be checked carefully and adapted if necessary.

Technical and organizational measures

Startups must ensure that the cloud provider has implemented appropriate technical and organizational measures (TOMs) to ensure a level of protection appropriate to the risk. Important aspects are:

  1. Encryption: both during transmission and when storing the data
  2. Access control: Strict regulations and procedures for accessing data
  3. Availability control: Measures to ensure the availability of data
  4. Separation control: Separate processing of data from different clients
  5. Pseudonymization: Where possible, data should be pseudonymized

Startups should carefully check and document the cloud provider’s TOMs.

International data transfers

Many cloud providers store or process data outside the EU. This is particularly relevant under data protection law:

  1. Adequacy decision: If the EU Commission has issued an adequacy decision for the destination country (e.g. for the United Kingdom), the data transfer is generally permitted.
  2. Standard contractual clauses: In many cases, the standard contractual clauses provided by the EU Commission are used to enable legally compliant data transfer.
  3. Binding Corporate Rules: Approved binding internal data protection regulations can be a solution for intra-group transfers.
  4. Additional measures: Following the ECJ’s Schrems II ruling, additional measures often need to be taken to ensure an adequate level of protection.

Startups should be particularly careful when using cloud services that transfer data to countries without an adequate level of data protection.

Special challenges for start-ups

  1. Resource constraints: Many startups do not have dedicated data protection experts. However, it is important to provide sufficient resources for data protection.
  2. Rapid growth: Data protection measures must be scaled accordingly when a company grows rapidly.
  3. Flexibility vs. compliance: The need to act quickly and flexibly must not come at the expense of data protection compliance.
  4. International expansion: When expanding into new markets, local data protection regulations must be taken into account.

Practical tips for start-ups

  1. Due diligence: Conduct a thorough review of potential cloud providers, particularly with regard to their data protection practices and certifications.
  2. Data protection impact assessment: For high-risk processing operations, carry out a data protection impact assessment in accordance with Art. 35 GDPR.
  3. Documentation: Carefully document all decisions and measures in connection with the use of cloud services.
  4. Encryption: Where possible, use end-to-end encryption to provide additional data protection.
  5. Data economy: Think critically about which data actually needs to be outsourced to the cloud.
  6. Contingency plan: Develop a plan in the event of a data protection incident or insolvency of the cloud provider.
  7. Regular review: Regularly check compliance with data protection regulations and that your measures are up to date.
  8. Training courses: Train your employees regularly in data protection issues, especially in dealing with cloud services.

The use of cloud services offers start-ups enormous opportunities, but also requires careful consideration of data protection aspects. A proactive approach to data protection can not only minimize legal risks, but also strengthen the trust of customers and partners. By implementing robust data protection practices, startups can reap the benefits of cloud services without neglecting compliance.

Given the complexity of the issue and the potentially serious consequences of non-compliance, it is advisable for start-ups to seek expert legal support when implementing cloud solutions. A specialist data protection lawyer can help develop tailor-made solutions that meet both business requirements and legal requirements.

Tags: ComplianceEmployeesEntscheidungenEuGDPRGeneral Data Protection RegulationGrowthInsolvencyJudgmentPrivacyRiskStandard contractual clausesStartups

Beliebte Beträge

Data leak in startup practice: GDPR reporting and damage limitation

dsgvo
29. April 2025

Young start-ups and solopreneurs often focus on agile development and rapid growth - but a data leak can put an...

Read moreDetails

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator
12. May 2025

OnlyFans has revolutionized the income opportunities for adult content creators - but with success comes legal challenges. In particular, data...

Read moreDetails

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies
10. May 2025

OnlyFans and similar platforms for erotic content are booming - but as their popularity grows, so do the data protection...

Read moreDetails

Legally compliant archiving of emails: legal requirements and practical implementation

Legally compliant archiving of emails: legal requirements and practical implementation
14. March 2025

It is impossible to imagine modern corporate communication without e-mail. It is not only used for the rapid exchange of...

Read moreDetails

Risks when hosting personal data on US cloud servers

Risks when hosting personal data on US cloud servers
18. February 2025

Hosting personal data on cloud servers from US providers poses significant risks for European companies, particularly with regard to compliance...

Read moreDetails

SaaS contract for marketing tools

da785cff1bca5b6897d0d4cacf7359ff
15. November 2024

When I helped set up CPMStar, one of the first major gaming marketing agencies in Germany, a few years ago,...

Read moreDetails

BGH ruling on damages for data protection breaches

BGH: Women also gamble on first-person shooters
8. December 2024

The ruling by the German Federal Court of Justice (BGH) on November 18, 2024 has put an abrupt end to...

Read moreDetails

New cookie regulation: a step towards simplifying digital consent?

Esport: Sports Committee of the BT meets Wednesday
8. December 2024

On September 4, 2024, the Federal Government adopted the Consent Management Ordinance (EinwV). This new ordinance is based on Section...

Read moreDetails

Multi-tenant architectures in the SaaS sector: data separation and compliance requirements

6e405ef66c83bf9de2066fb73a1deafc
9. November 2024

Multi-tenant architectures are the backbone of modern SaaS solutions, as they enable efficient use of resources and scalability. However, they...

Read moreDetails
  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung