Cloud computing has become an essential element of the IT sourcing strategy for many companies.
IT, legal and procurement staff in these companies are therefore faced with the fact that comprehensive know-how in many areas — not only in technology — is now necessary if cloud services are to be used responsibly, economically and in a way that is legally compliant with the locally applicable regulation frameworks.
Cloud services provide a high potential for increasing efficiency in the business world. However, from a data protection perspective, the following aspects are identified as critical:
Risk due to involvement of a third party: With the Cloud Service Provider (CSP), a third party becomes involved in the processing of personal data by the Cloud Service Customer (CSC). From the point of view of the affected person whose rights are to be protected, this represents an increase in the risk that unauthorized persons might be able to access the data being processed.
Loss of control: An increase in the number of people authorized to access the processed data means an increase in the challenge of committing all involved persons to act according to data protection laws, as well as the challenge of verifying the observance of all data protection obligations. The term “loss of control” refers to the fact that the affected person often does not know who the authorized third parties are, or has no way of monitoring them.