Get started

Privacy in the Cloud
This is What Companies and Employees Must Consider


Table of Contents

  1. What Forms the Basis for Privacy in Germany?
  2. What is Meant by Data Protection?
  3. Why is Privacy Important?
  4. Who Audits Privacy?
  5. How is Data Protection Regulated in Germany?
  6. How Can You Protect Your Data?
  7. What is the Difference Between Data Protection and Data Security?
  8. How Does Data Security Work in Companies and How Can It Be Guaranteed?
  9. Why is IT Security Important for Companies?




What Forms the Basis for Privacy in Germany?

Privacy in Germany is mainly shaped by the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In Germany, all data protection principles are regulated in the so-called EU General Data Protection Regulation (GDPR). It is a binding data protection law for all persons and companies living or having their headquarters in Germany or Europe. The new General Data Protection Regulation came into force on May 24, 2016. Since May 25, 2018, all data protection measures contained therein have been bindingly applicable in the respective member states. This means that the EU General Data Protection Regulation also applies before the respective national law.

Excursus: Privacy and Privacy Laws in the USA

In comparison to Germany and Europe, there is no comprehensive and generally applicable data protection law in the USA. Here, different laws apply for different areas, for example, for the health care system, the financial sector or for the economic and trade sector. In the USA, data protection is part of consumer protection law and thus represents a part of economic life. In Germany and Europe, on the other hand, personal data is simply one of the fundamental rights of every citizen. Many German and European IT decision-makers therefore underestimate the impact of the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which also came into force in 2018. This law stipulates that data that is not physically stored in the USA but is managed by US companies must be transferred without a prior decision by a judge. And it is precisely this provision that makes the CLOUD Act completely at odds with the GDPR. The regulations apply to almost all data that is in the custody, control or ownership of a company. Not only personal data is affected, but also patents, company-related evaluations and data, but also measurement and telemetry data and thus all data that is normally specially protected.

In Germany, the focus is on protecting the basic rights and freedoms of natural persons to a special degree - above all the right to informational self-determination. Above all, the regulation will strengthen consumer rights. In particular, data processing agencies must adhere to very strict regulations, because in order to be allowed to process particularly sensitive personal data, the prior consent of the person concerned must be obtained.

German companies with more than 10 employees must appoint a data protection officer. The same applies in other EU countries with 20 or more employees. But especially companies that are mainly involved in the collection and processing of personal data (regardless of the size of the company) require a data protection officer.

There are exceptions for small businesses: This is the case if only nine or fewer employees are regularly entrusted with the processing of personal data. In this case, you as the managing director can take over the data protection yourself. Incidentally, the number of employees is not determined by whether they are full-time, part-time or freelance. Here, each person is fully evaluated. A data protection officer can be an employee of the company, but can also be appointed externally. He must be able to prove his expertise in data protection through appropriate training, e.g. at the Chamber of Industry and Commerce. You are also obliged to publish the contact details of the data protection officer on your website. You should therefore avoid potential conflicts of interest in advance that could call into question the reliability of the representative.

In general, the further processing of data depends on the respective purpose. This means that personal data that has been collected may not be used for other purposes and that each process of data use must be transparent and comprehensible. In the meantime, the scope of application also applies to companies from third countries as soon as data of EU citizens are involved. According to the law, consent to processing must be given actively - for example, by checking a box on a website. If different data processing operations are planned, consent must be given separately for each individual operation. It must be possible for the data subject to revoke this consent at any time in a simple and comprehensible manner without further explanation.

It must also be possible for the data subject to actively object to a single purpose of data processing. Apart from this, contracts may no longer be made dependent on whether consent to data processing has been given, in accordance with the so-called prohibition of coupling. The General Data Protection Regulation also stipulates that in the course of the right of access, information on the respective legal basis of the processed and collected data, as well as the duration of the storage or its criteria, must also be stated.

Companies must also be in a position to transfer the data of a data subject in a portable yet secure format directly to a third party upon request. If data has been passed on to a third party, public and non-public bodies must contact the respective contact persons and inform them of the incorrectness in the event of an obligation to delete incorrect or outdated data.

If errors or breakdowns occur, data subjects may claim corresponding damages from the data processor. In the event of data protection violations, the Federal Data Protection Act (BDSG) provides for a fine of up to 300,000 euros or up to 2 years imprisonment. In turn, the sanctions in the EU General Data Protection Regulation (EU-GDPR) can result in a fine of up to 4% of the worldwide company turnover or up to 20 million euros.




What is Meant by Data Protection?

The term "data protection" refers to protection against the improper processing of personal data and protection of the right to informational self-determination: Each individual can decide in principle what personal data he or she discloses and whether it may be used.

Protection of personal data is required when responsible bodies process personal data in accordance with the General Data Protection Regulation. Data protection is generally about protecting information that is not intended for the general public. Personal data are in particular private and personal data that allow conclusions to be drawn about a person. It is therefore mainly contact data such as name, telephone number, address, e-mail address, date of birth, but also the IP address.

Data protection is therefore understood to mean the protection of the right of personality according to Articles 1 and 2 of the German Law when processing data and the protection of the individual's own privacy. Violations of data protection are punishable by fines of up to EUR 20 million or 4% of the worldwide annual turnover of the responsible body. A prison sentence of up to 3 years is also possible.




Why is Privacy Important?

With the help of privacy, personal data can be protected against data misuse. Such protection is playing an increasingly important role, especially in the context of progressive digitization.

For example, the data of participants in a competition organized by the German AOK health insurance company was used for advertising purposes, even though they had not consented to its use for marketing measures. Although the health insurance company had attempted to use technical and organizatory The responsible state authority then imposed a fine of 1.24 million euros.

There can also be serious consequences for those affected if, for example, their private e-mail address becomes known and details of their own medical history or chat histories of private conversations that are worthy of protection are made publicly accessible. The same naturally applies to sensitive bank data. In the course of digitization, data protection has gained enormously in importance, especially because, for example, surfing behavior can also lead to the collection of a large amount of data and thus information about the user behavior of third parties.




Who Audits Privacy?

Compliance with privacy is monitored by the relevant supervisory authority. For companies, this means that the respective data protection commissioners of the federal states assume this task. In addition, the data protection officer is to act as an independent authority within the company to ensure compliance with the regulations. In this way, he or she also assumes a control function that would actually also be the responsibility of the supervisory authorities. Data protection violations are now also assigned to consumer protection, among other things because they also have legal relevance. For this reason, violations can also be punished by consumer protection organizations or any competitors by means of warnings.

In general, however, data protection is a matter for the boss, which means that the managing director of a GmbH must also ensure that data protection is observed. Since the EU-GDPR came into force, he is also liable for the alleged mistakes of his employees. In the course of this, the person responsible also has the burden of proof or the duty to prove that he or she has followed all rules. To obtain an independent assessment, companies can undergo a so-called data protection audit. Suitable auditors are arranged, for example, through the Federal Association of Data Protection Officers in Germany (BvD) and the German Association for Data Protection and Data Security (GDD).

Excursus: How can you report a violation of the GDPR?

If you are affected as a person, please contact the company's data protection officer. If the responsibility lies in the non-public sector, the relevant country-specific supervisory authority is responsible. Each federal state has a state commissioner for data protection. For public institutions at federal level, responsibility lies with the Federal Commissioner for Data Protection and Freedom of Information. If you as a company are affected, the report is made in the federal state in which the violation occurred. There are forms for this case on the websites of the respective supervisory authorities of the federal states.




How is Data Protection Regulated in Germany?

In Germany, the General Data Protection Regulation applies as described above. Data protection law is derived from the right to informational self-determination. It stipulates that everyone is basically free to decide for themselves how their personal data is to be handled. The term "personal data" plays a central role in data protection law. Only when data is related to a person (e.g. name, birthday, address, email address, IP address or bank account details) does data protection law apply.

The most important principles of data protection law include:

  • Prohibition with reservation of permission 
    Data may only be handled if there is a legal basis for this or if the person concerned has given his or her consent.
  • Lawful processing in good faith, transparency 
    Data processing must be lawful, fair and transparent for the data subject.
  • Purpose limitation
    Data that has been collected or stored for a specific purpose may also only be used for this purpose.
  • Data minimization 
    According to the principle of data minimization, personal data must be adequate and relevant to the purpose. The data must be limited to what is necessary for the processing.
  • Memory limitation 
    Once the intended purpose has been achieved, the data must be deleted.
  • Correctness of the data 
    The data collected and processed must be factually correct and up-to-date.
  • Integrity and confidentiality 
    Personal data must be processed using appropriate technical and organizational measures in such a way that the data subject can be identified only for as long as necessary for the purpose of the data processing.
  • Accountability
    The person responsible in the sense of data protection law must be able to prove compliance with the above-mentioned principles.




How Can You Protect Your Data?

  • Cloud provider data protection - use a certified file service to store and manage your data
    It is essential that your cloud provider also sees privacy as an important issue. Make sure that you can store your data under maximum security precautions. Ideally, this should be a cloud-based data store from a certified provider that has client-side encryption. In this way, you have secure access to your personal data at any location. This is the only way to comply with the GDPR's data protection regulations for cloud computing.
  • Medical data and privacy
    Privacy plays an important role in the healthcare sector. Particularly when personal data, which also includes information on diseases and current findings, is involved, the utmost caution is required. If examination results, laboratory reports or extensive health data fall into the wrong hands, the damage is immense. However, modern and certified Enterprise File Services provide the basis for making data available securely and in real time at the places where it is needed (link to industry page "Health").
  • Rely on encrypted download shares
    Sending unsecured file attachments can cause great damage. It is not uncommon for email attachments to be hacked and sensitive data to fall into the wrong hands. The EU General Data Protection Regulation (GDPR) now also prohibits the sending of personal data as email attachments. You can create encrypted download shares using an add-in for email encryption. You can also limit the availability of all files or additionally secure them with a separate password.
  • Provide as little personal data as possible
    Think carefully about what information you want to provide.
  • Always read the privacy policy
    In general, everyone is bound by the data protection laws. Pay attention to what data is collected, processed and stored for what purpose.
  • Pay attention to the trustworthiness of the provider and a secure encryption
    Enter personal information only on trusted websites that have a secure https connection.
  • Use strong passwords
    A secure password consists of a combination of letters (upper and lower case), special characters and numbers. Make sure that you use each password only once and keep this password secret. Also helpful are special programs with which you can generate or manage secure passwords.
  • Optimize the security settings of your browser
    In your Internet browser you can make further settings to protect your data. Check them regularly and make sure that you have maximum security by regularly updating them.
  • Protect your devices
    You can protect the devices you use by installing appropriate security software, keeping it up-to-date and using only secure (encrypted) W-LAN connections. Use suitable anti-virus software on your computer and make sure you have a firewall.
  • Caution when using public computers
    Be especially careful if you use public computers, e.g. at school or in an Internet café. It is best not to use too sensitive data (such as bank details) on these devices. If you log in here on a website, make sure you remember to log out at the end. Use encrypted pages.
  • Ignore spam emails
    Do not answer any questions or state that you do not want to receive any more e-mails from this sender in the future. This would only confirm that your email address is a valid email - and the more spam you will receive later.
  • Avoid data theft through phishing emails
    Do not pass on bank or other access data on the Internet or by e-mail. If you are unsure, contact your house bank. Check your bank statements regularly for incorrect debits. On average, it takes 37 days to detect data misuse.
  • Do not open all attachments
    Don't click on unknown attachments from email messages - they could be spyware that spies on personal information on your computer or contain viruses.
  • Question your online behavior
    Be aware that all the data you post on the Internet is usually accessible worldwide and can be found via search engines.
  • Check the privacy settings in social networks
    You can use the privacy settings of applications to determine who can see what information about you and who can process it. For example, you can restrict that only actual friends can see all your posts.
  • Take action in case of privacy violations
    Take up if necessary with the national data protection authority or the consumer protection center (in German). If data is stolen, this is also a case for the police.
  • Use nicknames
    If possible, use anonymous nicknames instead of your real name. In social networks you could also use your middle name, for example.
  • Use multiple email addresses
    Create an email address with a free provider that does not allow any inferences to be drawn about you. Use this address to register on websites, post on blogs or participate in forums.
  • Delete your personal data
    Make sure that you delete all personal data before you sell a device (smartphone, tablet or PC).
  • Keep your eyes open when installing apps
    Before installing an app, check which data you authorize access to. Sometimes the most important information is hidden in the small print.

Data protection is easier than you think!

Get your 14-day trial of DRACOON with 5 users and 10 GB of highly secure cloud storage here and store, send and manage your files the safe way.







What is the Difference Between Data Protection and Data Security?

Data security protects against loss and manipulation. It plays a key role, especially in connection with company-specific data. It refers to all data that is used or processed in a company. It therefore also includes information about personal data. Classic examples include project data, company secrets, but also data from the human resources department. The regulations on data security are anchored in § 9 of the Federal Data Protection Act. Here, for example, it is stipulated that the protection of data must be ensured by technical and organizational measures.

Data protection serves, among other things, to protect the personal privacy of each citizen. It is an integral part of basic rights and personal rights and refers to the regulations that apply in connection with personal data. The corresponding legislation can be found in the Federal Data Protection Act and the data protection laws of the federal states. The data protection law states among other things that it is forbidden to collect and/or process data on persons without legal permission or consent.




How Does Data Security Work in Companies and How Can It Be Guaranteed?

It is important to take appropriate precautions to ensure that data in a company is actually protected against access by unauthorized persons, for example against loss, manipulation or unlawful processing. Among other things, it should be ensured that only authorized persons have access to the various information.

  • Deal with the basics of data protection and data security
    The decisive information is anchored in §9 BDSG.
  • Carry out a protection requirements analysis
    The result shows you what kind of protection is appropriate to protect the data in your company.
  • Data security in the cloud: Use a secure enterprise file service
    In principle, it makes sense to use a secure collaboration platform for data exchange or to make it available to employees. Today this can also be a business cloud solution. Because if it meets the above-mentioned criteria for data encryption, it is much more secure than many alternative ways in which companies exchange and store data - such as email attachments, file servers or the free cloud solutions frequently used by employees.
  • Ensure that only authorized people have access to data
    Use role-based permissions and customize access to sensitive data. For example, employees with administrator rights can view more data than an employee with read-only rights. Access controls are also very helpful.
  • Use logs
    Many companies don't even realize that they have become the victim of industrial espionage - at most when it is already too late and a new development in which a lot has been invested is suddenly offered elsewhere. Modern reporting tools record the inflow and outflow of data. This also makes it possible to trace which data has been stored or processed. You should check these tools regularly.
  • Data storage in certified data centers 
    In addition to data encryption, the location where the data is stored is also a security criterion. In contrast to data centers in the USA or other countries, data centers in Germany must be certified according to the ISO/IEC standard 27001, which guarantees a comprehensive information security management system.
  • Appoint a data protection officer
    In German companies with more than 10 employees, a data protection officer is mandatory. The same applies, however, if the activities of a company are mainly focused on the collection and processing of personal data. In general, a data protection officer can also be appointed externally. He is responsible for ensuring compliance with all guidelines and laws related to the protection of customer and company data.
  • Apply patches and updates regularly to protect your technical systems and close security gaps
    It sounds trivial, but it is still one of the most common vulnerabilities in companies, because if the patch update is overlooked on a single device, there is a security vulnerability; this also applies to mobile devices.
  • Make sure you have up-to-date virus and firewall protection
    Attacks by viruses, worms, Trojans and web apps are among the most common causes of data loss, especially in medium-sized companies. Therefore, consistently implemented updates on all devices, including mobile devices, are the basis of any security strategy.
  • Protect your data from ransomware
    Ransomware is the term used to describe insidious malicious programs that encrypt data and systems and thus render them unusable. Ransomware blocks the infected systems and computers until the demanded ransom ("ransom") is paid. An entire company can thus be paralyzed by the mistake of a single user. With DRACOON you will not lose a single file in a ransomware attack.
  • Evaluation of the IT of business partners 
    If joint infrastructures or solutions are used in cooperation with partners, networking creates risks that should be taken into account in the information strategy. Espionage attacks in particular often take place via the weaker infrastructure of business partners.
  • Increase data protection through IT security concepts
    IT security concepts have been defining our digital working world long before the EU General Data Protection Regulation came into force. They have a decisive influence on IT infrastructure and data protection. IT security concepts are central and important components of IT security management or Information Security Management System (ISMS). They describe defined security objectives, which are used to identify and evaluate risks.
  • Rely on secure encryption
    Encryption is a process and algorithm that converts data into an unreadable form using electronic codes or keys. With client-side encryption, the user encrypts his data with his own key and then transfers it to the server. The key that encodes the data never leaves the user's computer. There is therefore no possibility of decrypting the files on the server itself, as the key material is located on the client. Data and key material are therefore in two physically separate places. Thus, no third party, not even the platform operator, has access to the stored data.
  • Sensitizing employees to the topic of data protection
    One of the biggest and in many companies highly underestimated threats to sensitive data comes from their own employees. Many users are unaware of the security gaps they create, for example through inadequately secured mobile devices or by using insecure cloud solutions. Training and regular updates of security information for employees are therefore essential. This is also where management is needed.




Why is IT Security Important for Companies?

Today, IT security is more important than ever. Especially in times when everyone is online and almost all their life is closely connected to the Internet, data has become a highly sensitive and valuable asset. But if data falls into the wrong hands, the consequences can be fatal.

Therefore, companies in particular should make sure that they use suitable technical systems that support them in complying with the EU GDPR regulations and provide maximum protection for data. Failure to comply with these obligations can result in heavy fines. The catalog of fines in the GDPR provides for fines of up to 20 million euros. However, the supervisory authority may also impose fines of up to four percent of the worldwide annual turnover achieved in the last financial year as a fine. The higher of the two figures is decisive. In addition to the financial damage, however, the loss of reputation in the public eye and consequently with the customer is immense.

For adequate data protection, the following topics should also be considered.

Privacy Thanks to IT Security

The primary goal of IT security is to protect against risks that could result in financial damage. 

But nowadays, a company’s IT department can hardly be expected to guarantee the security of all of its IT systems by itself. This is why more and more services are being outsourced to the cloud. The advantage of this is that cloud service providers specialize in IT security. DRACOON is an expert in the field of cloud security and works day in and day out on further improving IT security in the cloud and helping users regain control over their data.

More about IT Security

Encryption Methods

Encryption refers to methods and algorithms that convert data into an indecipherable form using electronic codes or keys.

A variety of encryption methods exist, such as symmetric, asymmetric, and hybrid encryption methods. 

More about Encryption

Special Case: Due Diligence - More Stringent Privacy Requirements

Virtual data rooms offer the ability to share company data within the scope of due diligence, a process subject to more stringent privacy requirements. In this context, a company that is up for sale provides access to a comprehensive document management system, enabling prospective buyers and potential investors to gain a clear overview of all of the company’s relevant data and, if necessary, to collaborate on joint documents.

These mostly cloud-based data rooms must be secured by special measures, such as multi-factor user authentication, to prevent unauthorized access to the company’s files.

More about Due Diligence

Privacy through IT Security Concepts

IT security concepts have been shaping our digital work environment long before the EU’s General Data Protection Regulation came into force. They have a significant impact on the IT infrastructure and privacy.

End-to-end encryption plays just as important a role as modern access control mechanisms which ensure that internal and external employees only “see” the files they are allowed to see and require for their work.

More about IT Security Concepts

GDPR-Compliant Email Encryption via an Outlook Add-In

“I’ll e-mail you the contract as soon as we get off the phone” – everyone has heard this at least once. After all, e-mail is still the most popular way to send information and files.

But hardly anyone is aware that all of the information is sent in plain text.
This is particularly risky in a business context, as e-mails and e-mail attachments can be intercepted with relatively little effort. As a result, many companies are looking for a solution that allows them to send sensitive files via e-mail securely and in compliance with the GDPR.

More about Email Encryption

Ransonware Protection

Ransomware refers to malicious software that encrypts data and systems, making them unusable. Ransomware blocks the infected systems and computers until the owner pays the ransom demanded. This means that an entire company can be crippled as a result of a single user’s mistake. With DRACOON, you won’t ever lose a single file.

More about Ransomware Protection

Client-Side Encryption

When using client-side encryption, a user encrypts their data with their own key and then transfers the data to the server. In this process, the key that encrypts the data never leaves the user’s computer. As a result, it is impossible to decrypt the files on the server itself, as the key needed for this purpose is only saved on the client. In other words, the data and the key used to encrypt and decrypt it are saved in to two physically separate locations. This means that no third party, not even the platform operator, can access the saved data.

More about Client-Side Encryption

Get in Contact with Us

Do you have questions about privacy or would you like us to call you back? This contact form is the fastest way to reach us:

Would you like a personal conversation?
Then simply arrange an appointment with one of our experts by selecting a suitable date in the calendar here.