Data privacy regulations in the European Union (EU) are among the strictest in the world. Each EU member state is required to have its own comprehensive privacy laws protecting individual rights against information collection and processing by the government and private entities. Among EU member states, Germany has one of the strongest policies.
Germany’s Federal Data Protection Act is known as Bundesdatenschutzgesetz or BDSG, the laws were reformed significantly in 2009 to cover a range of data protection-related issues. The key principles of the 2009 amendments state:
- Organizations cannot collect any personally identifiable information without express permission from an individual (this includes obvious things like name and date of birth, as well as less obvious things like phone number, address, and computer IP address).
- The permission that an individual grants must specify how, where, how long, and for what purposes the data may be used.
- The individual can revoke the permission at any time.
- Organizations must have policies, procedures, and controls in place to protect all data types and categories that fall under the BDSG umbrella.
Further, Germany does not recognize Safe Harbor regulations in the same way as other EU states. It requires all parties involved in data transfer to assure that Safe Harbor requirements are met in a more formalized and structured manner. This is important for German-based businesses using US cloud service providers since the providers must take additional measures to ensure compliance.
In addition to the Federal Data Protection Act, components of the German criminal code regulate personal data protection, particularly for telecommunications, healthcare, and insurance companies. And all of the 16 German states have their own specific data protection laws pertaining to the same areas.
It’s clear that organizations hoping to implement cloud application services in Germany must navigate a layered and complex web of regulations.
To help with the legal complexities, in 2011 the German Data Protection Authority (DPA) issued a set of guidelines to help would-be cloud users and service providers structure their business arrangements.
The guidelines include mandatory and suggested content for all cloud service contracts. Under the guidelines, the customer (i.e., the cloud service user or “data controller”) has full responsibility for ensuring legal compliance. To work with a cloud service provider (or “data processor”), the customer must certify the provisions are met.
The PerspecSys PRS (Privacy, Residency, Security) Solution is the only proven commercial offering that allows companies to run business applications in the cloud and store protected personal information inside the corporate firewall without sacrificing functionality or performance. The PerspecSys PRS solution is designed to help organizations that want to leverage cloud computing, but are constrained by German compliance and regulatory issues. Contact us to learn more about how we can help.