Yes, the EU General Data Protection Regulation 2016/679 ("GDPR").

Under German data protection law, pursuant to Article 28 of the GDPR, a data processing agreement must be concluded with the cloud service provider as a data processor.

The contract should stipulate, in particular, that the processor should do the following:

1. Only process the personal data upon the instructions of the controller, including any transfers of personal data to a third country or an international organization, absent any other legal requirement.
2. Ensure that the persons authorized to process the personal data have agreed to hold it confidentially or that they are under an appropriate statutory obligation of confidentiality.
3. Take all technical and organizational measures to ensure a level of data security appropriate for the level of risk presented by processing personal data as required by Article 32 of the GDPR.
4. Respect the conditions referred to in Article 28 (2) and (4) of the GDPR for engaging another processor (i.e., the authorization and application of the same data protection obligations).
5. While taking into account the nature of the processing, assist the controller by taking all appropriate technical and organizational measures, insofar as this is possible, in fulfilling the controller's obligation to respond to data subjects' access requests under Article 12-23 of the GDPR.
6. Assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the processor.
7. Upon the controller's instructions, delete or return all personal data to the controller at the conclusion of the provision of services relating to the processing, and delete the existing copies unless EU or EU member state law requires the storage of the personal data.
8.  Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and permit and contribute to audits, including inspections conducted by the controller or another auditor mandated by the controller.