What makes a good provider?

Choosing a provider is not always easy. In addition to the technical range of functions, accessibility and ease of use also play a major role. That's why we usually use tried-and-tested services or services recommended to us by others. However, other factors play a role with regard to data protection.

Where the data processing takes place?

Ideally, the provider should process personal data on servers located in the same country as your organisation. It is also safe to process data on servers within the European Union. For all other countries, check whether it is one of the countries that the European Commission has recognised as having an adequate level of data protection ("adequacy decision"). The service provider should provide you with this information.

Example 1: Fixed server location in the EU

Screenshot of web hosting offer with fixed location in Germany and Austria

Example 2: Flexible storage location
MS365 administration area, here you can select the file storage location under "Organisation settings" and "Organisation profile".

Where is the provider based?

In addition to the location where the data is processed, also consider the provider's registered office. Here too, providers based in the EU are ideal, as they are subject to the regulations of the GDPR. For all other countries, check whether there is an "adequacy decision" from the European Commission for this country.

Also check whether the direct contractual partner is perhaps just a subsidiary of a larger group. Microsoft, for example, is represented in the EU by Microsoft Ireland, but is part of the Microsoft Cooperation based in Redmond, USA. Data transfer to the USA is therefore not excluded. This must be taken into account when selecting a provider and, if necessary, assessed in the risk analysis.

What guarantees does the provider give with regard to compliance with data protection?

Check which security mechanisms the provider has implemented with regard to data protection. Although you cannot check this down to the last detail, you should at least review the information that the provider publishes on this topic. As a rule, providers that implement the data protection requirements very strictly provide this information very prominently.

In almost all cases, the use of online services involves commissioned data processing. You should therefore conclude a so-called "order processing contract" with the providers. Most providers make a corresponding contract available for download. This contract is also known as a DPA (data processing agreement). It should contain extensive information on the technical and organisational measures used in relation to data security and data protection.

Risk analysis

Carry out a risk assessment for the service providers used. You will find a template for this in the "Templates & Tools" module.