No DSGVO certification for cloud offerings

vom 13.05.2020

A DSGVO certification of cloud offers is still missing - to the annoyance of the associations eco and EuroCloud. Because the official mills grind so slowly, many cloud users would have to live with legal uncertainty.

eco - Verband der Internetwirtschaft e.V. and its affiliated association EuroCloud Deutschland criticise the legal uncertainty surrounding the use of cloud services. There is still no DSGVO certification for cloud offers recognised by supervisory authorities. Companies could not be sure whether the services they purchased complied with the requirements of the European Data Protection Regulation (GDPR/DSGVO). According to eco, there is no catalogue of criteria for checking cloud services - although the German Accreditation Body (DAkkS) has all the necessary documents. It is still unclear how long the examination of these documents will take and by when they will be released.

The responsible national and European authorities would have had almost four years to specify appropriate procedures for the recognition and accreditation of such procedures at national and European level and to provide the necessary resources. Andreas Weiss, Director of EuroCloud, cannot understand why this was not successful. He called on the responsible authorities in Germany to make every effort to enable the applicability of data protection certification for cloud services by mid-2020.

In the AUDITOR research project, an interdisciplinary team of scientists and companies has been working for more than two years on a DSGVO certification for cloud services, also involving the data protection supervisory authorities. Still no results are available. According to the associations, the first stage of the research project is a national data protection certification for Germany. This is to form the basis for the development of an EU-wide recognized data protection certification scheme. According to EuroCloud, this EU-wide regulation would be important for the implementation of the EU data strategy announced by the European Commission on 19 February 2020.

GAIA-X also depends on cloud certification

The uniform European legal framework of the DSGVO could thus become a competitive advantage on world markets. In the new GAIA-X initiative for federated infrastructure and data ecosystems, the topic of data protection is also of the highest relevance and must be based on reliable guidelines. According to Weiss, it is important that the processes for Europe-wide recognition of data protection certifications are better interlinked via the responsible national and European institutions and that clearer deadlines are set.

Henrik Hasenkamp, CEO and founder of the Cologne-based IaaS and PaaS specialist gridscale, strongly supports the associations' demands. "Uncertainty regarding the DSGVO remains very high," says Hasenkamp, who together with the law firm Heuking has published a free compendium on the legal risks involved in using international cloud services. He added that SMEs in particular are keen to receive information and practical assistance. "A data protection certification of cloud services in accordance with the DSGVO requirements would be a very important step here. gridscale expressly supports the Euro-Cloud initiative. "An EU-wide data protection certification would provide considerably more security and transparency for companies and would significantly advance the development of federated ecosystems such as GAIA-X."

The original article in german can be found here.

    Back to overview