Germany

GERMANY

This content was last reviewed around April 2023.

Cloud Neutral

1. Are financial institutions legally permitted to use cloud services?

Yes, if the institution meets all the applicable legal requirements for the use of cloud services.

2. Are there any rules which apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes.

Banking Act

The use of cloud services by banks and financial services providers (e.g., leasing and factoring companies, crypto custodians and crypto securities registrars) is subject to the rules on outsourcing, which are contained in Section 25b of the German Banking Act (Kreditwesengesetz ("KWG")) and are further detailed in Circular 10/2021 (BA) Minimum Requirements for Risk Management (Rundschreiben 10/2021 (BA) — Mindestanforderungen an das Risikomanagement ("MaRisk")) issued by the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) dated 16 August 2021, last updated on 4 May 2022.

Securities Institutions Act (Wertpapierinstitutsgesetz ("WpIG"))

Since 26 June 2021, the KWG no longer primarily regulates the supervision of investment firms; rather, it is the WpIG. The KWG continues to regulate only certain large investment firms that provide investment services in the form of own account trading or underwriting and that are defined as Capital Requirements Regulation credit institutions.

The rules on outsourcing for investment firms (other than those that continue to be regulated under the KWG) are set out in Section 40 of the WpIG.

Further details on outsourcing are regulated in Articles 30 to 32 of Delegated Regulation (EU) 2017/565. Finally, some rules on outsourcing for investment firms can be found in Section 88 of the German Securities Trading Act (Wertpapierhandelsgesetz).

There is no detailed administrative guidance on risk management and outsourcing for investment firms licensed under the WpIG. The BaFin continues to apply the MaRisk in a proportionate manner to investment firms in the interim period, but it has stated that it intends to apply the European Securities and Markets Authority's Guidelines on Outsourcing to Cloud Service Providers of 10 May 2021 ("ESMA Guidelines").

Capital Investment Code (Kapitalanlagegesetzbuch ("KAGB"))

For alternative investment fund managers ("AIFMs") and for UCITS managers, outsourcing rules are defined in Section 36 of the KAGB and BaFin's Circular (Minimum Requirements for Risk Management of Capital Investment Companies (Rundschreiben 01/2017 (WA) — Mindestanforderungen an das Risikomanagement von Kapitalverwaltungsgesellschaften)) dated 10 January 2017. Moreover, outsourcing (delegation) by AIFMs is regulated in Article 75 of the Level 2 Regulation (Commission Delegated Regulation (EU) No. 231/2013 of 19 December 2012 supplementing Directive 2011/61/EU of the European Parliament and of the Council with regard to exemptions, general operating conditions, depositaries, leverage, transparency and supervision). As the BaFin has stated that it intends to apply the ESMA Guidelines, these also apply (among others) to UCITS fund managers and AIFMs.

Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz ("ZAG"))

For payment services providers and e-money institutions, outsourcing is governed by Section 26 of the ZAG.

German Insurance Supervision Act (Versicherungsaufsichtsgesetz ("VAG"))

For insurance undertakings outsourcing is governed by Section 32 of the VAG.

Regulatory regime for outsourcing to cloud service providers

The BaFin summarized the rules on outsourcing specifically applicable to cloud services in a guidance note entitled "Orientation help regarding outsourcing to Cloud service providers" (Merkblatt — Orientierungshilfe zu Auslagerungen an Cloud-Anbieter ("Guidance Note on Cloud Services")), which was issued by the BaFin and the German central bank (Deutsche Bundesbank) in December 2018. The Guidance Note on Cloud Services was originally cross-sectorial and, therefore, used to apply to all entities supervised by the BaFin (credit institutions, payment and e-money institutions, investment firms, fund managers and insurance undertakings).

As regards credit institutions and financial services providers, the MaRisk was updated in August 2021 to be consistent with the European Banking Authority's ("EBA") Guidelines on Outsourcing Arrangements of 2019 ("EBA Guidelines"). While the EBA Guidelines apply only to credit institutions, payment services institutions and e-money institutions (and thus do not cover investment firms, UCITS managers, AIFMs or insurance undertakings), the Guidance Note on Cloud Services applies to cloud outsourcing for all firms regulated by the BaFin, although this has been superseded by the BaFin's statement that it intends to apply the ESMA Guidelines to investment firms, AIFMs and UCITS managers and a number of other regulated entities, such as central counterparties, trade repositories, central securities depositories and rating agencies.

The EBA Guidelines also integrate the EBA's prior recommendations on outsourcing to cloud service providers published in December 2017. Unfortunately, the BaFin has chosen to not simply replace the MaRisk by the EBA Guidelines but has updated the wording of the MaRisk to reflect the EBA Guidelines. Overall, the MaRisk are not as detailed as the EBA Guidelines.

The BaFin has not revoked its sector-generic Guidance Note on Cloud Services (drafted with the EBA's recommendation on cloud outsourcing in mind, which has now become part of the EBA's Guidelines on Outsourcing). Therefore, the Guidance Note on Cloud Services still provides the best summary of outsourcing rules governing cloud services. In addition, the ESMA Guidelines apply to investment firms, AIFMs and UCITS managers, which, however, overlap only partly with the BaFin Guidance Note on Cloud Outsourcing. This makes it quite difficult to provide a comprehensive overview.

1. Supervision of cloud outsourcing arrangements

Under the MaRisk, where it is considered that the outsourcing is nonmaterial, only general organizational duties need to be observed. In contrast, the ESMA Guidelines cover nonmaterial outsourcing and impose stricter rules on the outsourcing of critical functions.

Regarding regulatory requirements on the use of IT, these will be found in the bank supervisory requirements for IT (Bankaufsichtliche Anforderungen an die IT ("BAIT")), last updated on 16 August 2021. The risk assessments regarding the purchase of IT services must be reviewed regularly and on an event-triggered basis with contracts adjusted accordingly, if necessary (Section 8.3 of the BAIT). More generally, whenever cloud services are used, the outsourcing cloud service providers will be indirectly affected, as they must follow the IT supervisory requirements applicable to their customers. The most important effect is that the risk analysis to be performed before a service is outsourced must also reflect the strict information risk management, information security and emergency management requirements and must be considered in the contractual arrangements with the cloud service providers.

The same also applies in other regulated sectors:

• For AIFMs and UCITS managers, the capital management supervisory requirements for IT (Kapitalverwaltungsaufsichtliche Anforderungen an die IT ("KAIT")) dated 1 October 2019 apply.
• For payment and e-money institutions, the payment supervisory requirements for IT (Zahlungsdiensteaufsichtliche Anforderungen an die IT ("ZAIT")) dated 18 August 2021 apply.
• For insurance undertakings, the insurance supervisory requirements for IT (Versicherungsaufsichtliche Anforderungen an die IT ("VAIT")) dated 3 March 2022 are applicable.

The BAIT, KAIT, ZAIT and VAIT all contain further specific rules on the purchase of IT services outside of outsourcing.

The ZAIT contain rules for payment and e-money institutions that mirror the rules in the MaRisk on outsourcing.

3. Are there any specific contractual requirements for cloud outsourcing?

Cloud outsourcing rules under MaRisk/EBA Guidelines

The following is a summary of the additional provisions in the European Banking Authority's Guidelines on Outsourcing Arrangements of 2019 ("EBA Guidelines") as they have been transposed into Circular 10/2021 (BA) Minimum Requirements for Risk Management (Rundschreiben 10/2021 (BA) — Mindestanforderungen an das Risikomanagement ("MaRisk")) that specifically mention cloud services:

1. Where relevant (e.g., in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis (EBA Guidelines No. 82; MaRisk AT 9 No. 7 k).
2. In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve handling or transferring personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing locations (i.e., country or region) and information security considerations (EBA Guidelines No. 83; MaRisk AT 9 No. 7 d).
3. Internal and external auditors must be sufficiently skilled when complex cloud services are audited (EBA Guidelines No. 97; not explicit mentioned in the MaRisk).

Cloud outsourcing rules under the ESMA Guidelines

Regarding investment firms, UCITS managers and alternative investment fund managers ("AIFMs"), the Guidance Note on Cloud Services is superseded by the European Securities and Markets Authority's Guidelines on Outsourcing to Cloud Service Providers of 10 May 2021 ("ESMA Guidelines"), even if the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) has not clarified the interplay between its guidance note and the ESMA Guidelines. Prudence would suggest applying both sets.

The ESMA Guidelines cover the following points:

1. Governance, oversight and documentation

Firms should have a defined outsourcing strategy and have clear responsibilities for documentation, management and control of cloud outsourcing, including a cloud outsourcing oversight function or designated senior staff members who are directly accountable to the management body. They need to monitor the performance of activities and need to reassess from time to time the criticality of the processes for their business. Additionally, they must also keep an up-to-date detailed register of cloud outsourcing arrangements. Firms should allocate sufficient resources to ensure compliance with the ESMA Guidelines and all the legal requirements applicable to its cloud outsourcing arrangements.

Performance of outsourced activities, security measures and agreed service levels must be monitored.

2. Pre-outsourcing analysis and due diligence

Firms must assess the criticality of the outsourced processes before the outsourcing takes places and assess the risks associated with them. For critical functions, the analysis must be more thorough. In addition, the cloud service provider's suitability must be assessed in due diligence.

3. Key contractual elements

See Question 3 generally on specific contractual requirements.

4. Information security

A firm should have adequate information security requirements in its policies and procedures and should apply them to cloud outsourcing.

5. Exit strategies

If outsourcing critical functions, firms must have an exit strategy The cloud outsourcing provider must support the firm in migrating the data and services to another provider.

6. Access and audit rights

The outsourcing must not impair the firm's ability to access and audit the activities. Third-party certifications and pooled audits are permitted, but they are subject to a detailed risk assessment if outsourcing critical functions. Firms must also have skilled people that can perform on-site audits.

7. Sub-outsourcing

Sub-outsourcing is viewed critically, and it must be ensured that control and supervision are maintained. Critical sub-outsourcing should be subject to a right of objection by the firm.

8. Written notification to competent authorities

Authorities must be informed ahead of a planned cloud outsourcing. In Germany this is superseded by a general requirement in Section 54(1) No. 13 of the Securities Institutions Act (Wertpapierinstitutsgesetz ("WpIG")) regarding investment firms and Section 36 of the Capital Investment Code (Kapitalanlagegesetzbuch) regarding AIFMs and UCITS managers to notify BaFin of the intent outsource material functions, the implementation thereof and material incidents in the framework of existing outsourcing.

Cloud outsourcing rules under the Guidance Note on Cloud Services

The key obligations summarized in the guidance note entitled "Orientation help regarding outsourcing to Cloud service providers" (Merkblatt — Orientierungshilfe zu Auslagerungen an Cloud-Anbieter ("Guidance Note on Cloud Services")) are as follows:

1. The risk analysis should be comprehensive and cover the following points:

• Design
• Criticality of the outsourced functions
• Risks resulting from the selected service model Infrastructure as a Service ("IaaS"), Platform as a Service ("PaaS") or Software as a Service ("SaaS"), as BaFin takes the view that the bank's/AIFM's ability of control is highest in IaaS models and lowest in SaaS models (We assume that the contemplated cloud hosting services would likely be considered IaaS, i.e., have a lower risk.)
• Financial, operational, legal and reputational risk (based particularly on the location of storage devices)
• Risk resulting from multiple outsourcing to the same cloud services provider
• Supervisory restrictions in certain countries
• Geopolitical risk and applicable laws, particularly on data protection
• Risk for integrity, availability, confidentiality and authenticity of data, particularly regarding access to data located in a different jurisdiction, interfaces between own and third-party systems and risk from sudden termination (such as data loss or limited migration to a new provider)
• Risk resulting from sub-outsourcing by the cloud services provider

2. A detailed written agreement should be created.

3. Monitoring and audit rights are required, which should include unlimited access to data centers, equipment, systems and networks.

4. Further, it is unacceptable to limit audit rights by with the following:

• Staged information and audit procedures
• Limitation to submission of audit reports and test certificates
• Condition of prior training before an audit can take place
• Limitation to "commercially reasonable" audits
• Limits on timing and number of audit personnel
• Limited access only via management consoles
• Predetermined processes and limitations on the scope of the audit

5. However, in some instances, audits by the internal audit teams of the banks can be replaced by internal audits by the teams of the cloud services provider or other banks, particularly in case of "pooled audits" by several banks/AIFMs.

6. On-site audits by regulatory authorities must not be restricted (including access to data centers, equipment, systems and networks) and the cloud service provider must agree to cooperate with the regulators. The audit rights must cover the entire "chain" of outsourcing, including sub-outsourcing.

7. Instruction rights must include the ability for the outsourcing institution to ask for certain types of certifications and proofs.

8. Outsourcing institutions must ensure that all applicable data protection and data security laws are observed.

9. Outsourcing institutions must know the location of where the data is stored (at least the name of the city, but if there is a valid reason, the cloud services provider must also give the street address).

10. Data and systems must be redundant to ensure availability in case of a failure of a data center.

11. Termination rights should include an obligation on the cloud service provider to continue providing the services until a replacement provider is found. The cloud service provider should support the transfer to the replacement provider. Data at the level of the cloud services provider must be deleted completely and irrevocably after transfer.

12. There should be an exit strategy, which should be reviewed to ensure that it could be implemented in practice.

13. The agreement should deal with sub-outsourcing. The sub-provider must also observe all obligations under the outsourcing agreement. Sub-outsourcing may trigger a reassessment of the risks.

14. Cloud services providers must accept comprehensive information obligations regarding developments, which could impair the services, including any disruptions of services. In addition, the bank must be informed of critical events regarding the provider, particularly financial deterioration.

As for data privacy and/or data security laws, please see Question 7 for the required contractual stipulations. 

4. When does cloud outsourcing fall within the scope of the rules?

The outsourcing rules apply to all cases of material outsourcing. What is "material" needs to be determined by the outsourcing institutions themselves in a risk analysis.

The guidance entitled "Orientation help regarding outsourcing to Cloud service providers" (Merkblatt — Orientierungshilfe zu Auslagerungen an Cloud-Anbieter ("Guidance Note on Cloud Services")) applies to material outsourcing.

For investment firms, UCITS managers and alternative investment fund managers, the European Securities and Markets Authority's Guidelines on Outsourcing to Cloud Service Providers of 10 May 2021 supersede the Guidance Note on Cloud Services. These guidelines also focus on nonmaterial cloud outsourcing.

The bank supervisory requirements for IT (Bankaufsichtliche Anforderungen an die IT), the payment supervisory requirements for IT (Zahlungsdiensteaufsichtliche Anforderungen an die IT), the capital management supervisory requirements for IT (Kapitalverwaltungsaufsichtliche Anforderungen an die IT) and the insurance supervisory requirements for IT (Versicherungsaufsichtliche Anforderungen an die IT) requirements also apply to nonmaterial outsourcing.

5. Does the outsourcing need to be notified to the regulator?

As of 1 January 2022, the Financial Market Integrity Strengthening Act (Finanzmarktintegritätsstärkungsgesetz ("FISG")) amended the German Banking Act (Kreditwesengesetz ("KWG")), the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz ("ZAG")), the Securities Institutions Act (Wertpapierinstitutsgesetz ("WpIG")) and the Capital Investment Code (Kapitalanlagegesetzbuch ("KAGB")), which oblige institutions in the financial sector to notify the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) of significant outsourcing. For insurance undertakings, such a requirement existed before the FISG was adopted.

Under the KWG (Section 24 (1) No. 19 of the KWG), banks and financial services providers must notify the BaFin of their planned outsourcing of material functions that have a material effect on the business activities of their business, the actual implementation, material changes and severe incidents. The notification needs to be provided to the BaFin before the outsourcing agreement comes into effect. There is no fixed deadline, but in practice the notification is often provided much earlier and preceded by even earlier informal exchanges with the BaFin.

The notification requirement also applies to the subsequent implementation of the outsourcing, to material changes and to material incidents in the framework of an outsourcing.

The same requirement of prior notification exists for the following:

• Payment institutions and e-money institutions under Section 26 (2) of the ZAG
• Investment firms under Section 64 (1) No. 13 of WpIG
• Alternative investment fund managers ("AIFMs") and UCITS managers under Section 36 (2) of the KAGB
• Payment services providers under Section 26 (2) of the ZAG
• Insurance undertakings under Section 47 No. 8 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz ("VAG"))

The requirement to notify BaFin of outsourcing, to material changes and to material incidents in the framework of an outsourcing applies under the WpIG, but not under the KAGB, the ZAG or the VAG, although under the KAGB, the BaFin must be notified of material changes to the outsourcing arrangement.

Subject to certain special cases (outsourcing of internal security measures in connection with money laundering; outsourcing of portfolio or risk management by fund managers), no approval from the BaFin is required. However, the BaFin can prohibit outsourcing if regulatory requirements are not complied with. If the BaFin's ability to audit and control the outsourced activities is impaired, it may give special instructions to remove these impediments. For insurance undertakings, it is customary to wait for a declaration of no objection from the BaFin before proceeding with the outsourcing.

The outsourcing institution must have an outsourcing register.

Under the FISG, the following applies:

• Non-EU outsourcing providers must contractually agree to appoint a local agent to receive service of BaFin communications.
• The BaFin has the power to issue direct instructions to outsourcing providers, to which material activities have been outsourced, to prevent violations of regulatory provisions, and to prevent endangering the security of the assets entrusted to the outsourcing institution or that could impair the proper operation of the outsourcing institution's business.

These powers apply to credit institutions, financial services providers, investment firms, UCITS managers and AIFMs and insurance undertakings.

In relation to outsourcing of internal security measures under the German Money Laundering Act (Geldwäschegesetz ("GWG")) the former approval requirement has been replaced by an obligation to notify BaFin beforehand (Section 6 (7) of the GWG). Internal security measures include IT measures pursuant to Section 25 h (2) of the KWG that monitor business relationships and payment transactions for signs of unusual transactions or transactions without apparent commercial purpose in order to detect money laundering, terrorism finance or fraud. Any use of the cloud services for that purpose would also need to be notified to the BaFin.

Section 3 of the Notification Ordinance (Anzeigenverordnung ("AnzV")) details the notification requirements. For example, this includes the following:

• A reference number assigned by the institution for each outsourcing contract
• Information on the beginning and end of the contract term and, if applicable, on the date of the next contract renewal and on the notice periods
• The designation of the essential activities and processes to be outsourced or outsourced including an indication of the categories of data affected by the outsourcing, as well as whether personal data will be transferred and whether the outsourcing company will be entrusted with the processing of personal data
• The result of an assessment of any of the following:
  • The substitutability of the outsourcing entity by assigning it to the categories of "easy," "difficult" or "impossible"
  • An indication of the possibility of reintegration of the essential activity or process into the institution
  • The effect of any discontinuance of the essential activity or process; or essential process
• A determination over the existence of alternative outsourcing entities pursuant to the assessment in paragraph 17(a)
• An indication of whether the essential activity or process to be outsourced supports business operations that are time critical
• The annual budget estimated for the outsourcing or the associated costs

On request of the BaFin, the draft outsourcing agreement will be submitted.

All filings must be made electronically.

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

(i) Criminal sanctions

Senior managers of credit institutions and financial services providers have personal risk management obligations, as specified in Section 25c of the German Banking Act (Kreditwesengesetz ("KWG")). Breaches of certain risk management obligations can be a criminal act if: (i) the manager's violation threatens the viability of the institution; and (ii) the manager did not comply with an express instruction from the regulatory authority.

(ii) Administrative fines

The failure by credit institutions or financial services providers to properly notify the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) can lead to administrative fines of up to EUR 100,000 (Section 56 (2) No. 1 f) connection with Section 56 (6) No. 4 of the KWG).

Failure to notify the BaFin of an intended outsourcing of internal security measures is not sanctionable.

Otherwise, breaches of outsourcing rules are not subject to an administrative fine (other than acting contrary to an express instruction by the competent regulatory authority (BaFin or the European Central Bank)).

(iii) Supervisory tool kit

The competent regulatory authority may, however, apply the full "tool kit" of supervisory measures, including on-site audits, special audits, specific orders, warnings to senior executives, the appointment of a special representative, the removal of senior executives and, in the most egregious cases, the withdrawal of the banking or fund manager's license.

As mentioned, the new regime (in force since 2021) also allows the BaFin to apply measures directly against cloud service providers.

(iv) Civil and administrative law

A cloud service provider is fully liable for the acts or omissions of its outsourcing providers from a civil and administrative law perspective. This is regardless of whether the outsourcing company fully complied with its own duties to properly monitor and manage the cloud service provider.

7. Are there any data privacy and/or data security laws that would apply?

Yes, the EU General Data Protection Regulation 2016/679 ("GDPR").

Under German data protection law, pursuant to Article 28 of the GDPR, a data processing agreement must be concluded with the cloud service provider as a data processor.

The contract should stipulate, in particular, that the processor should do the following:

1. Only process the personal data upon the instructions of the controller, including any transfers of personal data to a third country or an international organization, absent any other legal requirement.
2. Ensure that the persons authorized to process the personal data have agreed to hold it confidentially or that they are under an appropriate statutory obligation of confidentiality.
3. Take all technical and organizational measures to ensure a level of data security appropriate for the level of risk presented by processing personal data as required by Article 32 of the GDPR.
4. Respect the conditions referred to in Article 28 (2) and (4) of the GDPR for engaging another processor (i.e., the authorization and application of the same data protection obligations).
5. While taking into account the nature of the processing, assist the controller by taking all appropriate technical and organizational measures, insofar as this is possible, in fulfilling the controller's obligation to respond to data subjects' access requests under Article 12-23 of the GDPR.
6. Assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the processor.
7. Upon the controller's instructions, delete or return all personal data to the controller at the conclusion of the provision of services relating to the processing, and delete the existing copies unless EU or EU member state law requires the storage of the personal data.
8.  Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and permit and contribute to audits, including inspections conducted by the controller or another auditor mandated by the controller.

8. Are there any restrictions under local data protection laws which would impact the overseas hosting of data?

Yes.

If the data contains personal data, any transfer to a third country outside the European Economic Area that is not deemed to provide an adequate level of data protection by the European Commission generally requires that the data exporter ensures an adequate level of data protection consistent with Article 44 of the EU General Data Protection Regulation ("GDPR") on transfers.

Jurisdictions that are subject to an adequacy decision from the European Commission and deemed to provide an adequate level of protection are currently: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan, Jersey, Republic of Korea, New Zealand, Switzerland, UK and the Eastern Republic of Uruguay.

If the transfer of personal data from the EU is to a jurisdiction that is not deemed to be "adequate" for the purposes of the GDPR, additional steps may be required such as entering into EU Standard Contractual Clauses and conducting an assessment of the laws and practices of that third jurisdiction in relation to whether those laws/practices would impinge on the effectiveness of the Standard Contractual Clauses. There are also other alternative transfer tools under the GDPR, such as Binding Corporate Rules. Due to a decision of the Court of Justice of the European Union (C-311/18, July 16, 2020 2 Schrems-II) there are issues around providing appropriate safeguards for regular transfers of personal data, especially, to the US, under the GDPR.

A bank has a duty to maintain secrecy under private law on any customer-related facts and evaluations of which it has knowledge. It may only disclose information concerning a customer if it is legally required to do so, if the customer has consented or if the bank is authorized to disclose it. Legal doctrine in Germany is generally to the effect that a bank may use cloud service providers and share information on its clients with these providers if they agree to safeguard any bank secrets.

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

No. However, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht) has direct enforcement powers over outsourcing providers.

10. Are express consents from customers or other data subjects required before moving data to the cloud?

No, consent is not required.

11. Are there any local laws which require a cloud service provider to be able to access the data it hosts?

No.

12. Are there any local laws which would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes. Several German laws may require the cloud service provider to disclose data to the German authorities (e.g., the police and tax authorities).

Whether and to what extent the cloud service provider is subject to German law needs to be assessed on a case-by-case basis. However, to the extent that the cloud service provider holds data in Germany, it is — at least in theory — subject to German jurisdiction (i.e., the German authorities are physically able to access the relevant data). However, under German law, any kind of access to data by the German authorities is subject to strict requirements and the principle of proportionality.

The most relevant scenarios for disclosure under German law are as follows:

1. Criminal law

Under German criminal law, the following authorities could have access to data: law enforcement authorities, including the police (the Federal Police, the federal states' police and the Federal Criminal Police Office ("BKA")), public prosecutors, courts and the customs administration (including customs investigation offices); the Federal Intelligence Service; the Federal Office for the Protection of the Constitution and federal states' authorities for the protection of the constitution; and the Military Counterintelligence Service ("MAD").

Applicable scenarios include criminal investigations (including, in certain specific instances, the prevention of crime), tax/customs investigation and anti-terrorism.

2. National security/anti-terrorism laws

Under German national security/anti-terrorism laws, the following authorities could have access to data: the police (including the Federal Border Guard), the BKA, the Federal Office for the Protection of the Constitution, federal states' authorities for the protection of the constitution, the MAD and the Federal Intelligence Service.

Applicable scenarios are criminal investigations, anti-terrorism and military matters.

3. Tax/customs law

Under German tax/customs law, the following authorities could have access to data: the tax and customs administration, fiscal courts, courts, public prosecutors and tax and customs investigation offices.

Applicable scenarios include data access and intercept requests in connection with tax assessments and/or a customs declaration/assessment procedure, and criminal investigations in tax and/or customs matters.

4. Banking regulatory law

Under the German Banking Act (Kreditwesengesetz ("KWG")), the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) may access data.

However, this only applies where the financial institution is subject to the KWG. In such cases, it is required to store certain information on accounts and account holders, and it must grant BaFin access to the respective database (irrespective of whether the database is kept in-house or with a third-party service provider). In addition, by appropriate technical and organizational measures, it must ensure that the subject does not become aware of the fact that the BaFin is accessing the database (Section 24c of the KWG). Relevant scenarios include where access to data is required to comply with the BaFin's obligations under the KWG or the Act on the Detection of Proceeds of Serious Crime. The BaFin is entitled to share information with foreign courts and/or regulators if certain additional requirements are met.

Moreover, the BaFin has practically unlimited rights to demand information from banks, financial services providers, investment firms, payment and e-money institutions, alternative investment fund managers, UCITS managers and insurance undertakings regulated by it; further, to ask for the submission of documents and to make copies on all matters of business; and to inspect the premises and ask questions of personnel. In the case of banks, the BaFin does not need to have any discrete reason for its information and audit requests. The outsourcing of data should not impair these rights. In this regard, the outsourcing agreement must ensure that the BaFin can exercise these rights vis-à-vis cloud service providers, including on-site audits and the right to inspect documents and make copies.