Detailed description of the services to be rendered by the service provider.
Agreements on compliance with and measurement of defined key performance indicators (KPI) and auditing.
Ensuring that the services used can be flexibly adapted to seasonal changes or changes in your requirements depending on business development.
Adequate protection against threats to data integrity and confidentiality as well as compliance with legal requirements for cyber resilience and cybersecurity.
Prevention of vendor lock-in through clear agreements on data portability and data provision when changing providers.
Protection of confidential business information through appropriate technical and organizational measures to ensure confidentiality and protection against unauthorized access in the cloud.
Compliance with legal requirements for processing personal data in the cloud.
Avoidance of excessive contract durations and protection against premature termination of your contract.
First and foremost, outsourcing IT to a cloud service provider requires compliance with the EU General Data Protection Regulation (GDPR). In most cases, this requires a data processing agreement (DPA) that stipulates adequate technical and organizational measures by the service provider to ensure the confidentiality, integrity, and availability of processed data. The DPA must stipulate that the relevant data will only be processed by the service provider based on the controller’s instructions. Furthermore, processing health and other sensitive data may require the prior informed and voluntary consent of the data subjects.
Yes, health care professionals, lawyers, and tax advisors are bound by special statutory obligations to keep patient or client data confidential. Therefore, they must ensure that data processors, such as cloud service providers and settlement centers, are contractually obligated to keep this data confidential. Failure to comply with this duty may result in criminal prosecution and other consequences, such as cease-and-desist orders and damage claims from data subjects.
Personal data processed in the cloud is typically stored on multiple virtual or physical servers and transmitted, either partially or entirely, to various data centers, which are often located around the world. Transferring personal data to third countries outside the European Union requires appropriate safeguards, such as approved Standard Contractual Clauses or adequacy decisions by the European Commission.
The ongoing effectiveness of these safeguards in the destination countries should be examined before the transfer is initiated, as well as whether additional measures are necessary. Even when data is processed solely within the European Union, it is important to clarify whether the cloud service provider is required to comply with data access requests from foreign authorities.
In a landmark case involving the “scraping” of telephone numbers from Facebook user profiles and their subsequent disclosure to third parties, the German Federal Supreme Court ruled that the temporary loss of control over one’s personal data due to a GDPR breach can result in non-economic damages under Article 82 of the GDPR, for which the affected person can claim compensation from the data controller. According to this decision, the damage claim does not depend on any specific misuse of the data to the detriment of the data subject. No additional tangible negative consequences are required either.
Although this decision is not directly related to outsourcing IT services, it could affect such services in the event of GDPR infringements by the service provider. Therefore, any prior risk assessment of the disclosure of personal data when outsourcing IT and using external IT services should take this into account.
Much like software maintenance agreements, the service levels offered by the service provider should support an adequate level of business continuity, with minimal planned or unplanned interruptions to data access and availability.
To avoid the “lock-in effect” with a particular service provider, any outsourcing contract should adequately address data portability for both personal and non-personal data, independent of the data processing agreement. Similarly, to protect the interests of the service recipient, the contract term should not be disproportionately long. The technical and organizational measures that the service provider takes to ensure information security should be tailored to the sensitivity of the data processed and the necessary degree of confidentiality, integrity, and availability. ISO 27001 and 9001 certifications of the data processor are helpful, but they should not replace the commensurate auditing rights of the data controller.
Since outsourced IT is no longer managed in-house, it is less visible and cannot be controlled directly. This is an inherent challenge of outsourcing IT or services, so it must be addressed with agreed-upon measurable performance benchmarks that the service provider must meet, as well as spot checks by the principal who commissioned the outsourcing and/or managed IT services. Failure to reach the agreed-upon performance metrics should entail special termination rights for the customer and may trigger contractual penalties or reductions in service fees. These measures should be agreed upon in writing, ideally in a service quality assurance agreement.
AI can make managed IT services more efficient and affordable for small and medium-sized companies, as well as more cost-effective for large organizations. Nevertheless, it is crucial to ensure that personal and sensitive data, such as design data for new products, business secrets, and proprietary information, is not used by the service provider to train and/or improve AI systems. Additionally, integrating AI into managed IT services should not adversely affect service quality, but rather maintain or improve it.
