92
protection law is for example applicable if a company registered
outside of the EU/EEA deploys a SaaS provider with resources
deployed in Germany.
The rule/exception relationship (state of domicile/territoriality) relates to
claims between private persons. Connection rules outside of the EU, such as
in Switzerland, may take a different view. This can theoretically lead to
different legal consequences depending on which side the problem is
addressed from. However, solutions have been found in practical terms to
allow contradictions to be overcome in individual cases. In case of dispute,
the question with which of two possible jurisdictions a claim was filed first.
The stated rule/exception relationship does not apply to connecting factors
under public law (for example, duties to disclose to authorities or for
criminal issues.
Data protection law is public law and cannot be excluded by either party to
an agreement in the scope of choosing a jurisdiction by agreeing a legal
system that only envisages lesser data protection requirements.
Data processing on commission
Cloud service customers commission Cloud service providers to process data
on their account. To the extent personally identifiable data are processed,
the national data protection laws impose special requirements for this kind
of data outsourcing. The respective rules are most relevant for Cloud
computing services if the Cloud service user stores not only their own data
into the Cloud. Under these rules, the purchaser of Cloud services remains
the master of the data (and often is considered the data controller under EU
terminology).
That means that the customer of the Cloud services remains responsible for
complying with the pertinent legal requirements.
43
Namely, it must have
the appropriate compliance measures put in place (e.g. approval by the data
protection commission, customer acquiescence).
Additional Compliance Regulations
Besides data protection laws, additional compliance regulations can
influence the decision to migrate data into the Cloud. These are typically
administrative regulations, duties to disclose, or industry‐specific
regulations.
43
An expanded version of this chapter can be found under
