There is no way around cloud computing these days. Aitava is THE law firm for all topics related to the cloud. We have specialists who have been supporting customers and providers on their journey to the cloud for more than 12 years and who have many years of experience working in the legal department of the world’s leading cloud provider.

Benefit from our outstanding expertise in this field, whether you are a customer or a provider of cloud services. Aitava is not only familiar with all legal issues related to cloud contracts and compliance in the cloud. We also have an in-depth understanding of the technical aspects, operational processes and commercial conditions in the cloud. We offer interdisciplinary advice at the highest level from a single source.

Cloud Compliance

Data Protection

Most cloud services process personal data. Accordingly, the GDPR and national and sector-specific data protection laws must be observed. This begins with the conclusion of an adequate data processing agreement (DPA), including appropriate technical and organizational measures, Art. 28 and 32 GDPR.

Most attention is often paid to the possible transfer of personal data to non-EEA countries or the possibility of data access by authorities in such countries (e.g. the USA). Both must be measured against the specific hurdles of Art. 44 ff. GDPR, taking into account the Schrems II ruling of the ECJ from 2020 and the relevant position of the competent supervisory authorities.

Unfortunately, it can be observed that some supervisory authorities and authors interpret various data protection requirements inappropriately strictly and extend them beyond the legally required scope. In addition, misconceptions about the technical and operational conditions at cloud providers still exist in the market. This leads to uncertainty among customers as to whether cloud services, especially those from US providers, can be used in a data protection-compliant manner. Our answer to this question is “YES” – and we will be happy to support you in this.

Protection of Secrets

Cloud customers from certain industries must observe the relevant provisions for the protection of secrets. These include, in particular, the so-called professional secrecy holders according to Section 203 of the German Criminal Code (StGB), e.g. doctors, lawyers, tax advisors, public officials, as well as health, life and accident insurance companies. Another example is telecommunication providers, who are subject to the secrecy of telecommunications according to Section 206 StGB and Section 3 of the German Telecumunications-Telemedia Data Protection Act (TDDDG).

Such confidentiality requirements must then be observed not only by the professional secret-keepers, but also by cloud providers, e.g. if a provider processes secrets of professional secret-keepers in its SaaS solution and operates this solution at an IaaS provider.

It has become established practice to conclude a special additional agreement that explicitly incorporates the relevant confidentiality obligations into the cloud contract.

Another aspect is the protection of trade secrets. The German Act on the Protection of Trade Secrets (GeschGehG) requires appropriate measures to protect the information concerned. If these are not met, the information is no longer considered a protected trade secret. Therefore, the customer has a strong interest in securing cloud use through technical (e.g. encryption) and contractual measures (in particular, the provider’s confidentiality obligation).

Information Security

Information security plays a crucial role in cloud computing, especially when it comes to business-critical systems or data. Almost every company is affected by legal requirements for information security. Examples include:

  • the upcoming German Act on the Federal Office for Information Security amendment due to the NIS2 directive, which in the future will affect far more companies than just the operators of critical infrastructures that have been covered so far and goes beyond the content of the previous Section 8a of the German Act on the Federal Office for Information Security;
  • Obligation to implement appropriate technical and organizational measures for telecommunications providers (Section 165 of the German Telecommunications Act), providers of digital services (Section 19 of the German Telecommunications-telemedia Data Protection Act) and anyone who processes personal data (Section 32 GDPR).

Often, in cloud services, there is a shared responsibility for information security between the customer and the provider. For example, in IaaS and PaaS, the provider is responsible for the security of its infrastructure and system environment, while the customer is responsible for measures to protect their data and applications. A particular challenge is the tension between the customer’s individual security requirements and the cloud provider’s standardized security measures.

Aitava not only understands the legal requirements, but also the practical challenges. Trust our expertise in this sensitive area.

Finance and Insurance Sector

Financial institutions, such as insurance companies and banks, are subject to specific regulatory requirements for information security and operational resilience. However, the supervisory authorities emphasize that legally compliant cloud use is possible – including cloud services from US providers.

Whether it’s the outsourcing guidelines from EBA, EIOPA and ESMA, the BaFin supervisory notice on the cloud, or similar, we support you in implementing sector-specific requirements, such as:

  • Insurance companies: sections 23, 32 German Insurance Supervision Act (VAG), article 274 Commission Delegated Regulation (EU) 2015/35, Circular on Minimum Requirements on the System of Governance of Insurance Undertakings from the Federal Financial Supervisory Authority
  • Banks and other financial service providers: sections 25a, 25b of the German Banking Act (KWG), Minimum Requirements for Risk Management from the Federal Financial Supervisory Authority
  • Capital management companies: sections 28, 36 German Investment Code (KAGB), article 75 ff. Commission Delegated Regulation (EU) 231/2013, KaMaRisk from the German Federal Financial Supervisory Authority
  • Investment service providers: Section 80 German Securities Trading Act, Section 40 German Securities Institutions Act (WPIG), Article 30 ff. Delegated Regulation (EU) 2017/565
  • Payment service provider: Sections 26, 27 Payment Services Oversight Act (ZAG)

These requirements will be significantly increased by the Digital Operational Resilience Act (DORA). DORA includes extremely detailed requirements for IT risk management, in particular the management of risks when using cloud providers and other IT service providers.

Health Sector

Cloud use is legally possible in the healthcare sector as well – including cloud services from providers with a US parent company. Aitava helps you navigate the healthcare sector’s unique cloud requirements.

In addition to secrecy protection under Section 203 of the German Criminal Code, the focus is often on data protection law. In the healthcare sector, special provisions often apply that go beyond the requirements of the GDPR. This applies in particular to data processing outside the EEA, for which an adequacy decision pursuant to Art. 45 GDPR must be available, while justification of the data transfer via EU standard contractual clauses or (processor) binding corporate rules is not permitted. Examples are Section 393 (2) of the Social Code Book V (SGV V) and Section 80 para. 2 of the Social Code Book X (SGB X), which, among other things, affect the statutory health insurance funds, as well as Section 4 para. 3 of the Digital Health Applications Ordinance (DiGAV) for digital health applications.

On the one hand, Section 393 SGB V expressly clarifies that health insurance funds, nursing care insurance funds, doctors and the like may use the cloud for the processing of social and health data. On the other hand, in addition to the place of data processing (see above), it also imposes additional requirements, including that the cloud provider has a branch in Germany and a current C5 certificate.

Public Sector

Public authorities are also increasingly relying on cloud solutions. In this context, not only the requirements of the applicable public procurement law must be observed. We support you in drafting contracts and in legal matters concerning the relevant topics, such as data protection, information security and protection of secrets.

Among other things, administrative regulations, special state laws and the German Act on the Federal Office for Information Security (BSIG) must be observed. In particular, federal administrative bodies within the meaning of Section 8 para. 1 BSIG must implement the binding minimum standards of the Federal Office for Information Security for the use of external cloud services.

The EVB-IT Cloud have been available since 2022. In our experience, public clients and their providers have had mixed experiences with them so far. Regardless of whether you are a client or a provider, we can help you to optimally implement the EVB-IT Cloud and to use the available freedom in such a way that the cloud contract is also practical. If permissible, however, it may also make sense to refrain from using the EVB-IT Cloud and to use the customer’s or provider’s templates. Aitava is your competent partner for the design and negotiation of cloud contracts in all situations.

Cloud? Best with Aitava!

We live and breathe cloud projects

A Partner on an Equal Footing

Cloud is our world. Aitava has specialists on its team who, thanks to their many years of working with the world’s leading cloud provider, understand exactly what Cloud is and how it works. We understand the technology and processes because we have followed them “from the inside”. We don’t just look at a Cloud project through legal glasses, but always from the perspective of ops-teams and other stakeholders. Whether it’s contract terms, service descriptions, SLAs or information security documents, we are available to all your teams as a sounding board. Do you have questions about the division of responsibilities between customer and provider? Do you need a lawyer with whom your team can discuss the details of the availability regulation (measuring point, measuring period, measuring parameters, SLA reporting)? Aitava speaks the language of your business and provides you with comprehensive support in creating and negotiating cloud contracts.

Commercial Design

The commercial models in the cloud are as diverse as the types of services provided in the cloud. For example, IaaS providers often charge based on resource consumption (processing power, storage space, data volume, etc.), while for SaaS the number of users is often relevant, but there are also other usage-based metrics. For long-term cloud contracts, a balanced price adjustment mechanism may also be relevant. Agreements on fixed purchase quantities or minimum fees in return for discounts and credits (reserved instances, saving plans, private pricing, consumption commitment, committed use discount, etc.) are also of particular commercial importance. Our team has not only experienced and negotiated a wide range of pricing models in the role of external lawyers, but we also have first-hand in-house experience in designing such models.

Pragmatic, flexible and practice-oriented

A typical situation in cloud projects: The customer has individual needs and regulatory requirements, but the cloud is a one-to-many service with standardized features, processes and contractual conditions of the provider. Whether you are a customer or a provider, we help you avoid unnecessary frustration when designing and negotiating cloud contracts. We support you with our experience in deciding and arguing whether and at which point it is better to work with your own contract documents and when the documents of the contractual partner are the better way. Thanks to our extensive expertise, we have a realistic and practical understanding of the points at which individual designs and negotiations make sense and at which one should deal with certain operational circumstances.

Ready to get ahead?

We pave the way for legally compliant cloud use.

AI & Data

Staying ahead means knowing about opportunities for action at an early stage. Aitava specializes in consulting on artificial intelligence and data economics.

IT & Cloud

We combine legal and technical expertise in software and cloud projects, IT outsourcing and data protection.