Cloud Computing

Cloud computing refers to the dynamic provision, use and billing of IT services via a network in line with demand. These services are offered and used exclusively via defined technical interfaces and protocols. The range of services offered as part of cloud computing covers the entire spectrum of information technology and includes infrastructure (e.g., computing power, storage space), platforms, and software. This is the definition of the German Federal Office for Information Security (BSI).

A cloud service is identified by five characteristic features. First, the on-demand self-service. This means that the provisioning of resources (e.g., computing power, storage) runs automatically without interaction with the service provider. Second, broad network access. This means that the services are available via the network using standard mechanisms and are not tied to a specific client. Third, resource pooling. This means that the provider’s resources are available in a pool from which many users can draw (multi-tenant model). Users do not know where the resources are located, but they can contractually specify the storage location, e.g. region, country or data center. Fourth, rapid elasticity. This means the services can be provisioned quickly and elastically, in some cases automatically. From the user’s point of view, the resources therefore appear to be infinite. Fifthly, Measured Services. This means that resource utilization can be measured and monitored and also made available to cloud users on a measured basis.

Furthermore, according to the Cloud Security Alliance (CSA), a cloud service is determined by the following characteristics in addition to the elasticity and self-service mentioned above. Service oriented architecture (SOA) is one of the basic requirements for cloud computing. The cloud services are usually offered via a so-called REST API. In a cloud environment, many users share common resources, which must therefore be multitenant. Only the resources that have actually been used are paid for (pay per use model), although flat rate models can also exist.

Basically, a distinction can be made between three different categories of service models. With Infrastructure as a Service (IaaS), IT resources such as computing power, data storage or networks are offered as a service. A cloud customer buys these virtualized and highly standardized services and builds its own services on them for internal or external use. For example, a cloud customer can rent computing power, RAM and data storage and run an operating system with applications of his choice on them. With Platform as a Service (PaaS), a PaaS provider provides a complete infrastructure and offers the customer standardized interfaces on the platform that are used by the customer’s services. For example, the platform can provide multi-tenancy, scalability, access control, database access, etc. as a service. The customer has no access to the underlying layers (operating system, hardware), but he can run his own applications on the platform, for the development of which the CSP usually offers his own tools. In the case of Software as a Service (SaaS), all offers of applications that meet the criteria of cloud computing fall into this category. There are no limits to the range of offerings. Examples include contact data management, financial accounting, word processing or collaboration applications.

In order to avoid a large number of potential problems, it is necessary to structure the relationship between the contracting parties in a way that is in line with their interests and to legally secure it already during the drafting of the contracts. Since many cloud computing service providers are based in non-European countries, the law firm also examines and draws up the necessary supplementary agreements to ensure compliance with data protection regulations.

Existing risks and dangers in the use of services in the area of cloud computing are also discussed with the contractual partners, weighed up and minimized where possible.

From the planning and implementation based on the needs of the company, organization or institution, to the signing of the necessary contracts, our law firm accompanies and assists you in all legal matters for a successful and safe use of cloud computing services.


Our law firm advises on cloud computing in the following areas:

  • Legal requirements for the cloud service
  • Assessment and mitigation of the legal and technical risks associated with the use of cloud services
  • Selection of applications and type of personal data for the cloud service
  • Recording and documentation of the data flow (data mapping, data workflow)
  • Selection of the appropriate cloud provider together with the cloud user
  • Compliance with technical and organizational measures for the cloud service
  • Encryption and decryption of data in the cloud
  • Migration of existing data to the data cloud
  • Change of cloud provider, support services
  • Creation, review and negotiation of cloud contracts (IT law)
  • Legal protection of the cloud service by drafting and signing the necessary data protection contracts, e.g., agreements on commissioned processing, EU standard data protection clauses
  • Apps for the use of data clouds for mobile devices (smartphone, iPad) and their legal classification