General Data Protection Regulation

To which cases do the requirements of the GDPR apply?

As is already the case today in data protection law, the decisive factor for the GDPR is whether personal data are processed. In other words, this is all information that can be related to a person. It is obvious that this includes people as customers and employees. But in everyday business, this often also applies to other customers, suppliers and business relationships. After all, the contractual partner may be a legal entity, but typically human data (contact persons, managing directors, etc.) is also stored for this purpose. In short, there is hardly any area of the company that data protection does not cover.

The Cloud Privacy Check (CPC) as orientation in the cloud environment

The Cloud Privacy Check (CPC) was developed as a tool to help users and providers merge cloud computing and data protection. In particular, you can find the CPC at: https:// cloudprivacycheck.eu/en/tool/.
The CPC highlights the four fundamental questions that need to be asked from a data protection perspective when using cloud services. The CPC also provides an overview of the relevant answers.

1. Are personal data involved. Because: Only then must data protection law be observed.
2. If the cloud provider has access to personal data. Because: Only then must the integration of the cloud provider be designed in accordance with data protection law. The GDPR offers a suitable instrument here in the form of commissioned processing in accordance with Article 28 of the GDPR. 3.
3. Are personal data processed across borders and is there cross-border access (e.g., in the context of maintenance and support)? Because: Only then is it necessary to additionally examine which data protection framework conditions must be met for this design of the cloud service. There are no special requirements within the EU. For cross-border processing in or from countries outside the EU, Art. 44 to 50 of the GDPR provide suitable instruments.
4. Are subcontractors used by the cloud provider to provide the service?

If so, additional data protection measures must be taken in order to structure this integration. The GDPR also provides instruments for this in Art. 28 GDPR. To put it simply, the subcontractor is integrated in the same way as the cloud provider (see points 2 and 3 above) - only on the second level. The CPC thus makes it clear that data protection is not a "stumbling block" for the use of cloud service. At the same time, it facilitates the overview and selection of the "data protection modules" to be used depending on the cloud service.

Why the changeover to the DSGVO must not be missed!

The CPC was developed before the GDPR came into force. Nevertheless, it is still applicable because nothing fundamental has changed as a result of the GDPR. The essential changes from the "old data protection law" to the GDPR take place on other levels.

The fundamental change is that the GDPR follows the approach of "data protection through documentation and organization": The DS-GVO has three basic "set screws" for documentation and organization:

1. The company must prove through documentation that it complies with the requirements of the GDPR (Art. 5 (2) DS-GVO).
2. The company must ensure compliance with data protection law through verifiable measures (Art. 24 DS-GVO).
3. Documented measures must also ensure that the extensive catalog of data subject rights can be fulfilled (Art. 12 DS-GVO).

Of course, you cannot do anything with these keywords alone, and you do not know what needs to be done. But you can see that the GDPR requires more and different things from you than the previous data protection law.

In the future, those whose data is used must be informed much more comprehensively proactively (!) about how their data is handled. The extension of the duty to inform goes so far that the legal basis justifying the collection of data must also be stated. A violation of this requirement is easy to detect and thus sanction. The above duty to inform thus also means that the data processor must check the permissibility for each processing operation in order to be able to name the legal basis. If a data breach occurs - i.e. in particular loss, disclosure of data or third-party access - the supervisory authority and the data subject must be informed. In the case of risky data processing, an impact assessment must be carried out and, if necessary, the data protection supervisory authority must even be consulted about the planned data processing. This effect of the obligation to consult and additional effort is very much intended by the GDPR. After all, the GDPR wants to virtually force companies to deal with data processing. This is also reflected in the fact that the violation of the aforementioned documentation and organizational obligations alone can lead to fines and liability. What you need to do now? In a first step, you need to clarify the new requirements for your company. In a second step, you record the current status and adapt it to the requirements of the GDPR.