The most important questions regarding the EU’s General Data Protection Regulation

In this article you will read about,

• which companies the GDPR applies to,
• what impact the regulation has on IT security, and
• why the location of the hosting provider is important.

Since spring 2018, the European General Data Protection Regulation (GDPR) has applied in all EU member states. The most important questions about the current data protection law for companies at a glance:

The European General Data Protection Regulation affects anyone who processes personal data – companies, associations, public offices, government authorities, and schools. It doesn't matter whether an organization collects, stores, or "only" forwards the data.

Since 2018, the General Data Protection Regulation has been binding and legally effective in all EU member states. This means that anyone and everyone affected can directly sue for their rights set out in the GDPR before the national courts of the EU member states. Any company that violates this applicable law will face severe sanctions from the supervisory authorities.

The level of fines is uniformly regulated and can be up to 4 percent of annual turnover or 20 million euros. This can become a serious economic risk even for large companies. When it comes to sanctions, the supervisory authorities must agree on a common approach among themselves. Their task is to impose sanctions that are proportionate, but also dissuasive.

The General Data Protection Regulation contains a comprehensive catalog of data security measures. This is the first time that IT security has been demanded as a standard – an important step, because inadequately secured companies sometimes don’t even realize that they have been the victim of a hacker attack with data theft. Such negligence would be punished by the GDPR, which imposes a reporting obligation: A loss of personal data must be reported within 24 hours.

In order to comply with the GDPR, the issue of where a cloud provider’s data centers are located or where the storage and processing of personal data takes place is crucial.
This is because in the summer of 2020 the European Court of Justice overturned the Privacy Shield with its Schrems II judgement. As a result, the data protection agreement between Europe and the United States no longer exists. Therefore, companies can no longer rely on this agreement, which was intended to ensure compliance with European data protection standards outside the EU, when storing data in third countries.

 All data in the Open Telekom Cloud is stored in multi-certified, highly-secure data centers in Germany and the Netherlands. This means that all data remains on European soil and in the European legal area at all times.

Telekom and T-Systems also had the GDPR-compliant nature of their public cloud independently audited and certified at an early stage. The Trusted Cloud Data Protection Profile 1.0 (TCDP 1.0) shows that the offering fully meets the strict requirements. It certifies that the Open Telekom Cloud has a legally-compliant data protection certification for defined cloud services. In the future, the TCDP certification will be replaced by the "GDPR CC" certification. The goal: to apply European data protection sustainably. "GDPR CC" enables us to demonstrate the compatibility of your data processing operations with the GDPR data protection requirements.