Skip to main content
SpringerLink
Log in

European Cloud Service Data Protection Certification

  • Chapter
  • First Online:
Regulating New Technologies in Uncertain Times

Part of the book series: Information Technology and Law Series ((ITLS,volume 32))

  • 1712 Accesses

Abstract

Cloud computing is both an economically promising and an inevitable technology. Nevertheless, some deployment models can be a source of risk in terms of the protection of personal data. The risks of data loss and data breach hold private entities back from using cloud services. Articles 42 and 43 of the EU General Data Protection Regulation (GDPR) provide a new auspicious framework for certification mechanisms to detect and to be able to minimize these risks. However, these articles do not specify any criteria for certification mechanisms and are also technology-neutral. To be implementable, the certification criteria ought to be defined and a transparent procedure needs to be established. An effective data protection certification mechanism can serve to build trust and resolve the existing uncertainties limiting the broader usage of cloud services: certification implies a presumption of conformity with regulatory standards, and may be seen as an indicator of quality, which can lead to a distinction on the market. This chapter will summarize the author’s research during her collaboration in the research project AUDITOR for the development of a catalogue of criteria according to the GDPR.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    EU Commission, Communication, COM 2012, 529, 27 September 2012, Unleashing the Potential of Cloud Computing in Europe, p. 2; ENISA, Report, 12/2012, Cloud Computing—Benefits, risks and recommendations for information security, p. 9, available via https://resilience.enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-benefits-risks-and-recommendations-for-information-security. Last accessed 16 August 2018.

  2. 2.

    See also Sect. 14.4.3.2 for a more detailed technical definition and description of cloud services.

  3. 3.

    Gebauer et al. 2018, p. 59.

  4. 4.

    Article 29 Working Group, Opinion 05/2012 Cloud Computing, WP 126, 1st July 2012, pp. 2, 6 et seq.; Pfarr et al. 2014, p. 5020.

  5. 5.

    EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) has entered into force on 25 May 2016 and will take effect in all Member States as of 25 May 2018.

  6. 6.

    European Cloud Service Data Protection Certification, funded by the Federal Ministry of Economic Affairs and Energy since 1st November 2017; The Ministry’s press release is available via https://www.digitale-technologien.de/DT/Redaktion/DE/Standardartikel/Einzelprojekte/einzelprojekte_auditor.html. Last accessed 16 August 2018.

  7. 7.

    Schwartmann and Weiß 2018, Article 42, para 46.

  8. 8.

    Kinast and Schröder 2012, p. 217.

  9. 9.

    KPMG AG and Bitkom Research GmbH (eds.), Cloud-Monitor 2017, available via https://home.kpmg.com/de/de/home/themen/2017/03/cloud-monitor-2017.html. Last accessed 16 August 2018; Hoffmann, Regulation of Cloud Services under US and EU Antitrust, Competition and Privacy Laws, 2016, p. 67.

  10. 10.

    Mitchell 2015 pp. 3 et seq.; Determann 2015, p. 120, para 6.13; ENISA, Report, 12/2012, Cloud Computing—Benefits, risks and recommendations for information security, pp. 14 et seq.; Article 29 Working Group, Opinion 05/2012 Cloud Computing, WP 126, 1 July 2012, pp. 2, 6 et seq.

  11. 11.

    Article 29 Working Group, Opinion 05/2012 Cloud Computing, WP 126, 1st July 2012, pp. 2, 6 et seq.

  12. 12.

    Schneider et al. 2016, p. 346.

  13. 13.

    Hofmann and Roßnagel 2018, p. 39.

  14. 14.

    Pfarr et al. 2014, p. 5023.

  15. 15.

    Roßnagel 2011, pp. 263 et seq.

  16. 16.

    Power 1996, p. 10.

  17. 17.

    Hennrich 2011, p. 551.

  18. 18.

    Borges and Brennscheidt 2012, pp. 67, 68; Pfarr et al. 2014, p. 5024.

  19. 19.

    Article 83(2j) GDPR; Bergt 2016, p. 496; Lachaud 2018, p. 251.

  20. 20.

    Hornung 2017, Article 42, para 10.

  21. 21.

    Roßnagel 2011, p. 267.

  22. 22.

    Hornung and Hartl 2014, p. 220.

  23. 23.

    Hornung and Hartl 2014, p. 220.

  24. 24.

    Hornung and Hartl 2014, p. 220.

  25. 25.

    This view was also proposed in the GDPR draft of the European Parliament on 12 March 2014; see also Lachaud 2018, p. 245 with further references.

  26. 26.

    Roßnagel et al. 2015, p. 459.

  27. 27.

    ENISA Recommendations on European Data Protection Certification, Version 1.0, November 2017, p. 15, available via https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification. Last accessed 16 August 2018.

  28. 28.

    ENISA Recommendations on European Data Protection Certification, Version 1.0, November 2017, pp. 17–18.

  29. 29.

    Schultze-Melling 2013, p. 474.

  30. 30.

    Bergt 2016, p. 496; Schäfer and Fox 2016, p. 744; Hofmann 2016, p. 05324; Hofmann and Roßnagel 2018, p. 106; Bergt 2017, Article 42, para 15; Roßnagel 2000.

  31. 31.

    Weichert 2018, Article 42, para 11; Fladung 2018, Article 42, para 5; Loomans et al. 2014, pp. 22 et seq.; Lachaud 2018, p. 246.

  32. 32.

    Bergt 2017, Article 42, para 1; Kamara and de Hert 2018, p. 8.

  33. 33.

    Bergt 2017, Article 42, para 1; European Data Protection Board, Guidelines 1/2018, p. 5, no. 1.3.2 (para 11): Rodrigues et al. 2016, p. 1.

  34. 34.

    Rodrigues et al. 2016, p. 1; Spindler 2016, p. 409; Martini 2016, p. 11.

  35. 35.

    Lachaud 2018, pp. 245, 251.

  36. 36.

    Spindler and Thorun 2015, p. 61; see also Baldwin et al. 2012, pp. 137 et seq.; for a general view of the characteristics of self-regulation.

  37. 37.

    AUDITOR is funded by the Federal Ministry of Economic Affairs and Energy and started on 1 November 2017 with a duration of two years until October 2019—funding code: 01MT17003G.

  38. 38.

    Batman et al. 2017; see also www.auditor-cert.de. Last accessed 16 August 2018.

  39. 39.

    Flint 2017a, p. 171; De Hert and Papakonstantinou 2016, p. 184; and as already stated by Jaatun et al. 2014, p. 1005.

  40. 40.

    Or the target of evaluation (ToE).

  41. 41.

    Schäfer and Fox 2016, p. 746.

  42. 42.

    Roßnagel et al., Policy Paper, National Implementation of the General Data Protection Regulation, p. 5, access available via https://www.forum-privatheit.de/forum-privatheit-de/publikationen-und-downloads/veroeffentlichungen-des-forums/positionspapiere-policy-paper/Policy-Paper-National-Implementation-of-the-GDPR_EN.pdf. Last accessed 16 August 2018.

  43. 43.

    Hildebrandt and Tielemans 2013, p. 512.

  44. 44.

    Article 2 GDPR, para 14.

  45. 45.

    Roßnagel 2018, Article 2 GDPR, para 14.

  46. 46.

    See also Jung 2018, p. 208; Loomans et al. 2014, pp. 22 et seq.; Fladung 2018, Article 42 GDPR, para 5.

  47. 47.

    Martini 2018, Article 24 GDPR, pp. 39 et seq.; Tinnefeld and Hanßen 2018, Article 24 GDPR, para 24.

  48. 48.

    Article 28 GDPR corresponds essentially to the former provision in § 11 Bundesdatenschutzgesetz (Federal Data Protection Act—2009).

  49. 49.

    Article 29 Working Group, Opinion 05/2012 Cloud Computing, WP 126 (adopted on 1st July 2012), p. 10; Kramer 2018, Article 28, para 16; Niemann and Hennrich 2010, p. 687.

  50. 50.

    Flint 2017a, p. 171; Flint 2017b, p. 125; UK Information Commissioner’s Office (ICO), Guidance on the use of cloud computing, p. 8: The ICO states that in the provider of a public cloud needs to be classified as data controller according to data protection law, available via https://ico.org.uk/media/for-organisations/documents/1540/cloud_computing_guidance_for_organisations.pdf. Last accessed 16 August 2018.

  51. 51.

    See also Batman 2018, p. 94.

  52. 52.

    This view is also shared by the supervisory authority Unabhängiges Landeszentrum für Datenschutz (ULD) from Schleswig-Holstein, that at its time has also contributed significantly to the criteria of EuroPriSe and is currently an associated partner in the project AUDITOR.

  53. 53.

    Krcmar et al. 2018, § 1, para 24.

  54. 54.

    Pfarr et al. 2014, p. 5018.

  55. 55.

    Krcmar et al. 2018, § 1, para 24, 25.

  56. 56.

    Pfarr et al. 2014, p. 5023.

  57. 57.

    The National Institute of Standards and Technology (NIST), the standardisation centre of the USA, is part of the U.S. Department of Commerce. The document is available via https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf. Last accessed 16 August 2018.

  58. 58.

    Federal Office of Information Security https://www.bsi.bund.de/EN/Topics/CloudComputing/Basics/Basics_node.html;jsessionid=E93272CC537E50C157BBE795D67E6F4A.1_cid351. Last accessed 16 August 2018.

  59. 59.

    A more comprehensive differentiation between the service models (such as Communication as a Service, Storage as a Service, Network as a Service or E-Mail as a Service etc.) can also be found in DIN ISO/IEC 17788:2016-04, Annex A.

  60. 60.

    Federal Office of Information Security https://www.bsi.bund.de/EN/Topics/CloudComputing/Basics/Basics_node.html;jsessionid=E93272CC537E50C157BBE795D67E6F4A.1_cid351. Last accessed 16 August 2018

  61. 61.

    Weichert 2018, Article 42 GDPR, para 47.

  62. 62.

    Roßnagel 2000.

  63. 63.

    IT Governance Privacy Team (ed.), EU General Data Protection Regulation (GDPR). An implementation and Compliance guide, 2nd edition (2017), pp. 159–162; see also Roßnagel 2000, pp. 76 et seq.—A data flow analysis for the purpose of the definition of a certifiable element is demonstrated here.

  64. 64.

    IT Governance Privacy Team 2017, p. 161.

  65. 65.

    Roßnagel 2000.

  66. 66.

    Article 43(1) sentence 2 GDPR.

  67. 67.

    Spindler and Thorun 2015, p. 61.

  68. 68.

    Trusted Cloud Data Protection Profile (TCDP), TCDP v1.0, available via https://www.tcdp.de/index.php/dokumente. Last accessed 16 August 2018. The Trusted Cloud audit standard TCDP has emerged from the Technology Programme of the Federal Ministry for Economic Affairs and Energy in 2016.

  69. 69.

    Article 37–39 GDPR.

  70. 70.

    Article 33, 34 in conjunction with Article 28(3), sentence 2, lit. f GDPR.

  71. 71.

    BSI, C5-Compliance Controls Catalogue (C5), available via https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Controls_Catalogue/Compliance_Controls_Catalogue_node.html. Last accessed 18 September 2018.

  72. 72.

    Roßnagel et al. 2018.

  73. 73.

    Article 42(7), sentence 1 GDPR.

  74. 74.

    Article 42(7), sentence 2 GDPR.

  75. 75.

    Article 43(1), sentence 2 GDPR.

  76. 76.

    Regulation (EC) No 765/2008 of the European Parliament and of the Council (1) in accordance with EN-ISO/IEC 17065/2012.

  77. 77.

    Article 43(a) GDPR.

  78. 78.

    Article 43(b) GDPR.

  79. 79.

    Article 43(c) GDPR.

  80. 80.

    Article 43(d) GDPR.

  81. 81.

    Article 43(e) GDPR.

  82. 82.

    Article 43(6) sentence 1 GDPR.

  83. 83.

    Article 43(6) sentence 2 GDPR.

  84. 84.

    Weichert 2018, Article 43 GDPR, para 2.

  85. 85.

    Spindler and Thorun 2015, p. 61.

  86. 86.

    Bock 2016, Chapter 15, p. 335.

  87. 87.

    Schäfer and Fox 2016, p. 744.

  88. 88.

    Jentzsch 2012, p. 416; Schäfer and Fox 2016, p. 746.

  89. 89.

    Kinast and Schröder 2012, p. 217; Weichert 2010, pp. 274–279.

  90. 90.

    Hoffman 2016, p. 190.

  91. 91.

    Buch et al. 2014, p. 68.

  92. 92.

    Buttarelli 2016, p. 77.

References

  • Baldwin B, Cave M, Lodge M (eds) (2012) Understanding Regulation. Theory, Strategy and Practice, 2nd edn. Oxford University Press, USA

    Google Scholar 

  • Batman AN (2018) Die Datenschutzzertifizierung von Cloud-Diensten nach der EU-DSGVO. In: Taeger J (ed) Rechtsfragen digitaler Transformationen – Gestaltung digitaler Veränderungsprozesse durch Recht. Tagungsband Herbstakademie 2018, OlWIR Oldenburger Verlag für Wirtschaft, Informatik und Recht, Edewecht, pp 87–101

    Google Scholar 

  • Bergt M (2016) Die Bedeutung von Verhaltensregeln und Zertifizierungen nach der DSGVO. In: Taeger J (ed) Smart World - Smart Law? Weltweite Netze mit regionaler Regulierung. Tagungsband Herbstakademie 2016, OlWIR Oldenburger Verlag für Wirtschaft, Informatik und Recht, Edewecht, pp 483–489

    Google Scholar 

  • Bergt M (2017) Art. 42. In: Kühling J, Buchner B (eds) DSGVO-Kommentar. C.H. Beck, Munich

    Google Scholar 

  • Bock K (2016) Data Protection Certification: Decorative or Effective Instrument? Audit and Seals as a Way to Enforce Privacy. In: Wright D, De Hert P (eds) Enforcing Privacy, Chapter 15, Springer International Publishing, pp 335–356

    Google Scholar 

  • Borges G, Brennscheidt K (2012) Rechtsfragen des Cloud Computing – ein Zwischenbericht. In: Borges G, Schwenk J (eds) Daten- und Identitätsschutz in Cloud Computing, E-Government und E-Commerce. Springer, Berlin/Heidelberg, pp 43–77

    Google Scholar 

  • Borges G, Meents J (eds) (2016) Cloud Computing. Rechtshandbuch. C.H. Beck, Munich

    Google Scholar 

  • Buch MS, Gebauer L, Hoffmann H (2014) Vertrauen in Cloud Computing schaffen - Aber wie? Wirtschaftsinformatik & Management, 03/2014, pp 67–77

    Google Scholar 

  • Bundesamt für Sicherheit in der Informationstechnik (BSI) (2018) C5-Compliance Controls Catalogue (C5). Available via https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Controls_Catalogue/Compliance_Controls_Catalogue_node.html. Last accessed 16 August 2018

  • Burri M, Schär R (2016) The Reform of the EU Data Protection Framework: Outlining Key Changes and Assessing Their Fitness for a Data-Driven Economy. Journal of Information Policy, Vol. 6 (2016), pp 479–511, available via http://www.jstor.org/stable/10.5325/jinfopoli.6.2016.0479. Last accessed 16 August 2018

  • Buttarelli G (2016) The EU GDPR as a clarion call for a new global digital gold standard. International Data Privacy Law, 2016, Vol. 6, No. 2, pp 77–78

    Google Scholar 

  • De Hert P, Papakonstantinou V (2016) The new General Data Protection Regulation: Still a sound system for the protection of individuals? Computer Law & Security Review, 2016, Vol. 32, pp 179–194

    Google Scholar 

  • Determann L (2015) Determann’s Field Guide to Data Privacy Law. International Corporate Compliance, 2nd edn. Edward Elgar Publishing Ltd

    Google Scholar 

  • ENISA (2012) Cloud Computing - Benefits, risks and recommendations for information security. Report

    Google Scholar 

  • ENISA (2017) ENISA Recommendations on European Data Protection Certification Version 1.0, November 2017, p 15, available via https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification. Last accessed 16 August 2018

  • European Commission (2012) Communication from the Commission to the European Parliament, the Council, the ECOSOC and the Committee of the Regions, COM 2012, 529, 27 September 2012, Unleashing the Potential of Cloud Computing in Europe, available via http://ec.europa.eu/transparency/regdoc/rep/1/2012/EN/1-2012-529-EN-F1-1.Pdf. Last accessed 16 August 2018

  • Fladung A (2018) In: Wybitul T (ed) (2018) Handbuch EU-Datenschutz-Grundverordnung. Fachmedien Recht und Wirtschaft, dfv Mediengruppe Frankfurt am Main, Commentary of Art. 42 GDPR

    Google Scholar 

  • Flint D (2017a) Sharing the Risk: Processors and the GDPR. Business Law Review, 2017, Vol. 38, pp 171–172

    Google Scholar 

  • Flint D (2017b) Storms ahead for Cloud Service Providers. Business Law Review, 2017, Vol. 38, pp 125–126

    Google Scholar 

  • Forum Privacy and Self-Determined Life in the Digital World (ed) (2018) Policy Paper, National Implementation of the General Data Protection Regulation, Challenges - Approaches - Strategies, available via https://www.forum-privatheit.de/forum-privatheit-de/publikationen-und-downloads/veroeffentlichungen-des-forums/positionspapiere-policy-paper/Policy-Paper-National-Implementation-of-the-GDPR_EN.pdf. Last accessed 16 August 2018

  • Gebauer L, Söllner M, Leimeister JM (2018) Vertrauensproblematiken im Cloud-Computing-Umfeld. In: Krcmar H, Leimeister JM et al. (eds) Cloud-Services aus der Geschäftsperspektive. Springer Fachmedien Wiesbaden, pp 59–69

    Google Scholar 

  • Hennrich T (2011) Compliance in Clouds. Datenschutz und Datensicherheit in Datenwolken. Computer & Recht (CR), Vol. 8/2011, pp 546–552

    Google Scholar 

  • Hildebrandt M, Tielemans L (2013) Data protection by design and technology neutral law. Computer Law & Security Review, Vol. 29 (2013), pp 509–521

    Google Scholar 

  • Hoffmann SG (2016) Regulation of Cloud Services under US and EU Antitrust, Competition and Privacy Laws. Peter Lang GmbH, Internationaler Verlag der Wissenschaften, Frankfurt am Main

    Google Scholar 

  • Hofmann JM (2016) Zertifizierungen nach der DS-GVO. In: ZD-Aktuell 2016, 05324 (online-resource)

    Google Scholar 

  • Hofmann JM, Roßnagel A (2018) Rechtliche Anforderungen an Zertifizierungen nach der DSGVO. In: Krcmar H, Eckert C et al. (eds) Management sicherer Cloud-Services. Springer Fachmedien Wiesbaden, pp 101–112

    Google Scholar 

  • Hornung G (2017) Art. 42. In: Auernhammer H (ed) DSGVO BDSG Kommentar, 5th edn. Carl Heymanns Verlag, Cologne

    Google Scholar 

  • Hornung G, Hartl K (2014) Datenschutz durch Marktanreize – auch in Europa? - Stand der Diskussion zu Datenschutzzertifizierung und Datenschutzaudit. Zeitschrift für Datenschutz (ZD) 2014, pp 219–225

    Google Scholar 

  • Horwitz J (1982) The History of the Public/Private Distinction. University of Pennsylvania Law Review, Vol. 130, No. 6 (1982), pp 1423–1428, available via http://www.jstor.org/stable/3311976. Last accessed 16 August 2018

  • IT Governance Privacy Team (eds) (2017) EU General Data Protection Regulation (GDPR). An Implementation and Compliance Guide, 2nd edn.

    Google Scholar 

  • Jaatun MG, Pearson S, Gittler F, Leenes R (2014) Towards Strong Accountability for Cloud Service Providers. IEEE 6th International Conference on Cloud Computing Technology and Science, pp 1001–1006

    Google Scholar 

  • Jarass H (2018) Art. 8. In: Jarass H, Pieroth B (eds) Grundgesetz für die Bundesrepublik Deutschland: GG, Kommentar. C.H. Beck, Munich

    Google Scholar 

  • Jentzsch N (2012) Was können Datenschutz-Gütesiegel leisten? Wirtschaftsdienst 2012, pp 413–419

    Google Scholar 

  • Jung A (2018) Datenschutz-(Compliance-)Management-Systeme – Nachweis- und Rechenschaftspflichten nach der DSGVO. ZD (Zeitschrift für Datenschutz), 2018, pp 208–213

    Google Scholar 

  • Kamara I, de Hert P (2018) Data Protection Certification in the EU: Possibilities, Actors and Building Blocks in a Reformed Landscape. In: Rodrigues R, Papakonstantinou V (eds) Privacy and Data Protection Seals. T.M.C. Asser Press, The Hague

    Google Scholar 

  • Kinast K, Schröder M (2012) Audit & Rating: Vorsprung durch Selbstregulierung. Datenschutz als Chance für den Wettbewerb. ZD (Zeitschrift für Datenschutz), 2012, pp 207–210

    Google Scholar 

  • Koops BJ (2008) Should ICT Regulation be Technology-Neutral? In: Koops BJ, Lips M et al. (eds) Starting Points for ICT Regulation. Deconstructing Prevalent Policy One-Liners. IT & Law Series Vol. 9, T.M.C. Asser Press, The Hague, pp 77–108

    Google Scholar 

  • Krcmar H, Eckart C et al. (eds) (2018) Management sicherer Cloud-Services. Entwicklung und Evaluation dynamischer Zertifikate. Springer Fachmedien, Wiesbaden

    Google Scholar 

  • Lachaud E (2018) The General Data Protection Regulation and the rise of certification as a regulatory instrument. Computer Law & Security Review 34, 2018, pp 244–256

    Google Scholar 

  • Loomans D, Matz M, Wiedemann M (eds) (2014) Praxisleitfaden zur Implementierung eines Datenschutzmanagementsystems. Ein risikobasierter Ansatz für alle Unternehmensgrößen. Springer Fachmedien, Wiesbaden

    Google Scholar 

  • Martini M (2018) In: Paal BP, Pauly AD (eds) Beck’sche Kompakt-Kommentare. Datenschutz-Grundverordnung, Article 24 GDPR. C.H. Beck Verlag, Munich

    Google Scholar 

  • Martini M (2016) Do it yourself im Datenschutzrecht. NVwZ – Extra 6/2016, pp 1–10

    Google Scholar 

  • Mitchell C (2015) Privacy, Compliance and the Cloud. In: Zhu/Hill/Trovati (eds) Guide to Security Assurance for Cloud Computing. Springer International Publishing, pp 3–14

    Google Scholar 

  • Niemann F, Hennrich T (2010) Kontrollen in den Wolken? Auftragsdatenverarbeitung in Zeiten des Cloud Computing. Computer & Recht (CR) 10/2010, pp 686–692

    Google Scholar 

  • Pfarr F, Buckel T, Winkelmann A (2014) Cloud Computing Data Protection – A Literature Review and Analysis. 2014 47th Hawaii International Conference on System Science, pp 5018–5027

    Google Scholar 

  • Power M (1996) The audit explosion. Demos. White Dove Press, London, available via https://www.demos.co.uk/files/theauditexplosion.pdf. Last accessed 16 August 2018

  • Rodrigues R, Barnard-Wills D, De Hert P, Papakonstantinou V (2016) The future of privacy certification in Europe: An exploration of options under article 42 of the GDPR. International Review of Law 2016, Computers & Technology, available via http://dx.doi.org/10.1080/13600869.2016.1189737. Last accessed 16 August 2018

  • Rodrigues R, Wright D, Wadhwa K (2013) Developing a privacy seal scheme (that works). International Data Privacy Law, 2013, Vol. 3, No. 2, pp 100–116

    Google Scholar 

  • Roßnagel A (2000) Datenschutzaudit. Konzeption. Durchführung. Gesetzliche Regelung. Vieweg, Braunschweig

    Google Scholar 

  • Roßnagel A (2011) Datenschutzaudit - ein modernes Steuerungsinstrument. In: Hampel L, Krasmann S, Bröcking U (eds) Sichtbarkeitsregime. Überwachung. Sicherheit und Privatheit im 21. Jahrhundert, pp 263–280

    Google Scholar 

  • Roßnagel A (2018) Art. 2. In: Simitis S, Hornung G, Spiecker gen., Döhmann I (eds) Datenschutzrecht – DSGVO mit BDSG, Großkommentar. Nomos, Baden-Baden

    Google Scholar 

  • Roßnagel A (ed) (2018) Das neue Datenschutzrecht. Europäische Datenschutz-Grundverordnung und deutsche Datenschutzgesetze. Nomos, Baden-Baden

    Google Scholar 

  • Roßnagel A, Nebel M. Richter P (2015) Was bleibt vom Europäischen Datenschutzrecht? - Überlegungen zum Ratsentwurf der DS-GVO. ZD 2015, pp 455–460

    Google Scholar 

  • Roßnagel A, Sunyaev A, Batman A et al. (2017) AUDITOR: Neues Forschungsprojekt zur Datenschutz-Zertifizierung von Cloud-Diensten nach der DS-GVO. ZD-Aktuell 2017, 05900 (online-resource)

    Google Scholar 

  • Roßnagel A, Sunyaev A, Batman A, Lins et al. (2018) AUDITOR-Kriterienkatalog, draft version v.07, research contribution 4 June 2018, available as a technical report via https://publikationen.bibliothek.kit.edu/1000083222. Last accessed 16 August 2018

  • Schäfer C, Fox D (2016) Zertifizierte Auftragsdatenverarbeitung. Das Standard-ADV-Model. Datenschutz und Datensicherheit (DuD), 2016, Vol. 11, pp 744–748

    Google Scholar 

  • Schneider S, Sunyaev A et al. (2016) Entwicklung eines Kriterienkatalogs zur Zertifizierung von Cloud Services. In: Krcmar H, Leimeister JM et al (eds) Cloud-Services aus der Geschäftsperspektive. Springer Fachmedien, Wiesbaden, pp 337–349

    Google Scholar 

  • Schultze-Melling J (2013) Datenschutz. In: Bräutigam P (ed) IT-Outsourcing und Cloud-Computing. Eine Darstellung aus rechtlicher, technischer, wirtschaftlicher und vertraglicher Sicht, 3rd edn. Erich Schmidt Verlag GmbH & Co., Berlin

    Google Scholar 

  • Schwartmann R, Weiß S (2018) In: Schwartmann R, Jaspers A, Thüsing G, Kugelmann D (eds) Heidelberger Kommentar. DS-GVO/BDSG. C.F. Müller, Heidelberg

    Google Scholar 

  • Semmelmann C (2012) Theoretical Reflections on the Public-Private Distinction and their Traces in European Union Law. Oñati Socio-legal Series (online), 2012, Vol. 2 (4), pp 25–59, available via http://ssrn.com/abstract=2016077. Last accessed 16 August 2018

  • Siemen B (2006) Datenschutz als europäisches Grundrecht. Duncker und Humblot, Berlin

    Google Scholar 

  • Spindler G (2016) Selbstregulierung und Zertifizierungsverfahren nach der DS-GVO. Reichweite und Rechtsfolgen der genehmigten Verhaltensregeln. ZD 2016, p 407

    Google Scholar 

  • Spindler G, Thorun C (2015) Eckpunkte einer digitalen Ordnungspolitik. Politikempfehlungen zur Verbesserung der Rahmenbedingungen für eine effektive Ko-Regulierung in der Informationsgesellschaft, available via https://sriw.de/images/pdf/Spindler_Thorun-Eckpunkte_digitale_Ordnungspolitik_final.pdf. Accessed 15 August 2018

  • Stone CD (1982) Corporate Vices and Corporate Virtues: Do Public/Private Distinctions Matter? University of Pennsylvania Law Review, 1982 Vol. 130, No. 6, pp 1441–1509, available via http://www.jstor.org/stable/3311978. Last accessed 16 August 2018

  • Tinnefeld C, Hanßen C (2018) In: Wybitul T (ed) (2018) Handbuch EU-Datenschutz-Grundverordnung. Fachmedien Recht und Wirtschaft, dfv Mediengruppe Frankfurt am Main, Commentary of Article 24 GDPR

    Google Scholar 

  • van der Sloot B, Broeders D, Schrijvers E (2016) Exploring the boundaries of Big Data. Amsterdam University Press

    Google Scholar 

  • Weichert T (2010) Datenschutzzertifizierung – Vorteile für Unternehmen. ITK-Kompendium 2010, pp 274–279

    Google Scholar 

  • Weichert T (2018) Art. 4. In: Däubler et al. (eds) EU-Datenschutz-Grundverordnung und BDSG-neu. Kompaktkommentar. Bund-Verlag, Frankfurt am Main

    Google Scholar 

  • Werner F (1959) Verwaltungsrecht als konkretisiertes Verfassungsrecht. DVBl, 1959, pp 527–533

    Google Scholar 

  • Wybitul T (ed) (2018) Handbuch EU-Datenschutz-Grundverordnung. Fachmedien Recht und Wirtschaft, dfv Mediengruppe, Frankfurt am Main

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Frankfurt am Main, Germany

    Ayşe Necibe Batman

Authors
  1. Ayşe Necibe Batman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ayşe Necibe Batman .

Editor information

Editors and Affiliations

  1. Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University, Tilburg, The Netherlands

    Leonie Reins

Rights and permissions

Reprints and permissions

Copyright information

© 2019 T.M.C. Asser press and the authors

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Batman, A.N. (2019). European Cloud Service Data Protection Certification. In: Reins, L. (eds) Regulating New Technologies in Uncertain Times. Information Technology and Law Series, vol 32. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-279-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-94-6265-279-8_14

  • Published:

  • Publisher Name: T.M.C. Asser Press, The Hague

  • Print ISBN: 978-94-6265-278-1

  • Online ISBN: 978-94-6265-279-8

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation