The collection, processing and use of personal data is only permitted under German data protection law if it is permitted or ordered by a legal provision or if a data subject has given their consent (Section 4 BDSG).
In this context, it should be noted, particularly for group companies, that the transfer of data between companies is only permitted under strict conditions; in this respect, group companies are fully subject to the requirements of data protection law.
However, the legislator has provided for a solution which, under certain conditions, dispenses with the general prohibition with reservation of permission. If the provider and user agree on commissioned data processing within the meaning of Section 11 BDSG, the actual transfer of data from the user to the provider and the other collection, processing and use of personal data is not subject to the prohibition.
However, it is important to ensure that the legal requirements for effective commissioned data processing are met. This is only the case if a written order data processing contract has been concluded between the parties, which in particular covers the ten points of Section 11 BDSG.
Within the EU, it should therefore be possible to make cloud computing permissible under data protection law , for example, if the relevant legal requirements are observed.