Seite 91 - Cloud Migration Version 2012 english

91 
3.3.3
Issues Of No Choice (Purchaser Perspective) 
Data Protection Law  
There is much more to the term “data protection” than just regulation 
relating to personally identifiable information. Protection of business secrets 
etc. should also be discussed when referring to “data protection”.  
It is the purchaser of Cloud services that remains responsible to ensure 
compliance with data protection laws for data migrated into the Cloud. The 
purchaser can shift responsibility to the Cloud services provider, but even if 
it does, its overall accountability remains.  
When determining what data protection rules apply in cross‐border data 
processing settings, the first question is that of which national data 
protection law applies. Data protection issues are governed by the relevant 
local data protection act, noting that data protection is subject to EU‐wide 
harmonisation. Currently, the EU Data protection directives provide for core 
rules, leaving national data protection laws in force while the national laws 
of member states implement these rules. However, in January 2012, the EU 
commission proposed to replace the national rules by one single regulation 
on data protection.
42
Within the EU framework of data protection, distinguishing data controllers 
and data processors, two main principles determine what data protection 
law applies: 
State of Residence: Under the European Data Protection Directive 
the "state of residence principle" applies. It states that European 
data protection law is applicable if the purchaser resides in the EU. 
Residence means having its registered offices or a (legally 
independent) subsidiary in the EU or the EEA. The relevant factor is 
thus always the purchaser and not the Cloud service provider. 
Territoriality Principle: The state of residence principle is not used 
without restriction. On the contrary, in some constitutions a 
"
territoriality principle
xe "territoriality principle" applies. It states 
that the location of where data is processed is relevant to 
determining the applicable jurisdiction. The territoriality principle 
applies if the legal entity is not domiciled in an EU member state. 
Accordingly, the national data protection law for the country in 
which the data are actually processed then applies. German data 
42
An expanded version of this chapter can be found under