Il GDPR tedesco richiede l'archiviazione dei dati in un data center tedesco per un'azienda di tele-sanità?
2020-07-26 18:44:54 UTC
I co-founded a tele-health startup, we are expanding to Germany,we have gone through the GDPR, and implemented most of it, however, we didn't quite understand the data residency part and found conflicting information online.

Should the data be stored in a German data center? is it a requirement?Would it be ok to have it stored outside Germany?How about outside the EU?


Una risposta:
2020-07-26 20:58:35 UTC
The goal of the GDPR is to ensure a single market for personal data processing throughout the EU. Since all EU/EEA member states now have equivalent levels of data protection, it doesn't matter in which member state data is stored or processed. Member states cannot generally limit this single market via national laws.

Furthermore, secure processing may be possible outside of the EU/EEA as discussed in Chapter 5 of the GDPR. Some countries such as Japan have been asserted an adequate level of data protection so that no special safety measures are necessary. For other countries, a transfer of personal data may be possible under so-called Standard Contractual Clauses which detail the responsibilities of the data exporter/importer.

However, the recent Schrems II ruling has invalidated the (partial) adequacy decision for the United States, and has strongly hinted that SCCs only work if the parties are actually able to honor their responsibilities under the SCC (which is not the case with some surveillance laws). Data protection is likely not ensured for processing in the US or by US-controlled companies (even if the processing usually takes place within the EU). Given the sensitivity of health data, this means you should likely avoid using the typical public cloud providers (regardless of availability region). Depending on where your company is based, you might also be disqualified as a data processor by EU data controllers.

So the GDPR has no data residency requirements that limit the processing/storage to Germany, but some data residency requirements to keep the data in the EU. However, there may be non-GDPR obligations that mandate how the data can be processed, but I'm not familiar with those (the German regulatory landscape for tele-health is very uneven, differs between German states, but is also improving a lot recently).

Since you're processing health data, you should pay special attention to Art 9(3) GDPR which is expanded in German law by §22 BDSG to list a catalogue of possible safety measures you should consider, but none of them are related to data residency. §78 BDSG has further details on transfers into non-EU countries, such as emphasizing that human rights must be guaranteed in the target country.

"Dovrei probabilmente evitare di utilizzare i tipici provider di cloud pubblico": sono curioso di sapere se questo si applica a "nuvole sovrane" come [Foresta Nera di Azure] ( -benvenuto).
@Dai Azure Germany è gestito da un fiduciario tedesco e non da Microsoft, quindi le problematiche leggi statunitensi sullo spionaggio non hanno alcun effetto. Mi aspetto che i carichi di lavoro in esecuzione non siano influenzati dalla sentenza Schrems II. Tuttavia, Azure Germany ha smesso di accettare nuovi clienti nel 2018.

