Seite 92 - Cloud Migration Version 2012 english

92 
protection law is for example applicable if a company registered 
outside of the EU/EEA deploys a SaaS provider with resources 
deployed in Germany.  
The rule/exception relationship (state of domicile/territoriality) relates to 
claims between private persons. Connection rules outside of the EU, such as 
in Switzerland, may take a different view. This can theoretically lead to 
different legal consequences depending on which side the problem is 
addressed from. However, solutions have been found in practical terms to 
allow contradictions to be overcome in individual cases. In case of dispute, 
the question with which of two possible jurisdictions a claim was filed first. 
The stated rule/exception relationship does not apply to connecting factors 
under public law (for example, duties to disclose to authorities or for 
criminal issues.  
Data protection law is public law and cannot be excluded by either party to 
an agreement in the scope of choosing a jurisdiction by agreeing a legal 
system that only envisages lesser data protection requirements.  
Data processing on commission  
Cloud service customers commission Cloud service providers to process data 
on their account. To the extent personally identifiable data are processed, 
the national data protection laws impose special requirements for this kind 
of data outsourcing. The respective rules are most relevant for Cloud 
computing services if the Cloud service user stores not only their own data 
into the Cloud. Under these rules, the purchaser of Cloud services remains 
the master of the data (and often is considered the data controller under EU 
terminology).  
That means that the customer of the Cloud services remains responsible for 
complying with the pertinent legal requirements.
43
Namely, it must have 
the appropriate compliance measures put in place (e.g. approval by the data 
protection commission, customer acquiescence). 
Additional Compliance Regulations  
Besides data protection laws, additional compliance regulations can 
influence the decision to migrate data into the Cloud. These are typically 
administrative regulations, duties to disclose, or industry‐specific 
regulations.  
43
An expanded version of this chapter can be found under