Contributed By Luther Rechtsanwaltsgesellschaft mbH (Cologne)
Cloud computing (the outsourcing of in-house computing processes to external service providers) is already being used by numerous financial institutions, particularly in the banking sector. Because this involves the outsourcing of sensitive information processing, financial service providers must not only comply with the legal requirements of the GPDR; in the banking sector, §25a of the German Banking Act (KWG) and §17 of the German Money Laundering Law (GWG) must also be observed. These provisions contain obligations under banking supervisory law to introduce more precisely defined security systems that guarantee security when outsourcing sensitive information processes. For IT security, a proper business organisation must be in place, in particular appropriate and effective risk management. Another legal source for the protection of information technology is the IT Security Act (BSIG). According to §8a paragraph 1 S1 of the BSIG, operators of critical infrastructure must take appropriate organisational and technical precautions to avoid disruptions to the availability and confidentiality of their information technology systems. Infrastructure from sectors such as energy, finance and insurance as well as information technology and telecommunications are regarded as potentially critical.
Apart from those relating to outsourcing in the supply chain or logistics, a number of sector-specific legal restrictions establish specific measures to be obeyed by the provider, for example in the storage of food or medicine. Since customers remain responsible for any non-compliance by the outsourcing provider, it is of utmost importance to include such measures into the contract.