Health Data in the Cloud – new law in Germany raises the bar | Fieldfisher
Skip to main content
Insight

Health Data in the Cloud – new law in Germany raises the bar

Locations

Germany

As of July 1, 2024, the German Social Code sets new security and compliance boundaries for processing health-related personal data through use of cloud computing services.

Most specifically, the upcoming law at hand ( sec. 393 German Social Code V - currently only available in German language) limits the scope of processing (social- and) health-related personal data when engaging with German "Leistungserbringer" (health care providers) in the health care sector such as doctors, hospitals, psychotherapists and pharmacies.   

As of 1 July 2024 - with no further adoption or implementation period applicable - processing health-related personal data of such clients may only be carried out in Germany, the EEA or in a third country that provides an adequate protection as per a European Commission decision.[1] If data processing is carried out in a third country providing an adequate protection, providers of cloud computing (-based) services are further required to have a residence within Germany.  

In short, this means that other safeguard mechanisms such as the execution of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR)  – although treated equally under Chapter 5 of the Regulation – will no longer be considered an adequate guarantee for global companies that provide cloud computing (-based) services when carrying out some and/or all of the healthcare-related data processing for German clients in a third country that currently does not provide an adequate protection as per a European Commission decision today.

Whilst this may sound familiar when looking at certain existing state hospital acts (e.g. sec. 24 (7) Berlin state hospital act) the above restrictions on health-related processing raise further questions, in particular what services are to be classified as cloud computing services, whether the obligations, including the requirement to maintain a residence in Germany, apply throughout the entire processing chain, and whether e.g. occasional 3rd level support outside the EEA (e.g. in India) likewise falls in scope of the above.

On the security side the new law further introduces the requirement to maintain a C5 certificate (Cloud Computing Compliance Criteria Catalogue) for any cloud systems and technology implemented in the cloud computing service at hand, again from 1 July 2024 onwards. Whilst the C5 type 1 is considered sufficient for the time being, a C5 type 2 certificate will be required as of July 2025. For further information on the C5 catalogue and the required types, read more.

Call to action: Companies that provide global (non-EEA) cloud computing (-based) services in the German health care sector should immediately check whether their products and services are subject to these new requirements and assess existing safeguard and security mechanisms to initiate appropriate action items, such as a DPF certification.

We're here to help you navigate the upcoming new requirements and evaluate the best options for your business needs. Contact us today to get started!


[1] As of today, the following countries have been recognised as providing an adequate protection according to the European Commission: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland ,the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

Areas of Expertise

Data and Privacy