Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

In Germany, almost all types of cloud models are used. The use of infrastructure-as-a-service (IaaS) - in particular, any kind of storage services - is already widespread in the private sector. The use of platform-as-a-service (PaaS )and software-as-a-service (SaaS) are also increasing rapidly. German companies are more willing to implement their core business processes using PaaS and SaaS. One trend, for example, is the outsourcing of enterprise resource planning (ERP) systems to the cloud. In the context of this development, public and hybrid cloud models are gaining increasing acceptance, although most cloud services currently used by German companies are still based on private cloud models/classic on-premise software.

Acceptance of cloud services in the public sector is not as high as in the private sector but there are political plans to make greater use of cloud services in public administration. Nevertheless, there is still scepticism about public and hybrid cloud models, so planning of the federal and regional governments is primarily focused on the development of self-operated private cloud models. One lighthouse project, for example, is the ‘federal cloud’, which is operated as IaaS by the Federal Information Technology Centre (ITZBund, a German federal government-owned IT service provider) and can be used by any federal authority.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

Almost every major international cloud provider offers cloud services in Germany. In particular Amazon, Microsoft, IBM and Google are highly visible in the market. Other ambitious international cloud providers, such as Alibaba, Rackspace or Salesforce, are trying to establish themselves in the market.

SAP, one of the largest German software providers, is expanding strongly in the German and international cloud market with its ‘SAP Cloud Platform’.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

There is a very differentiated market for cloud services in Germany. On the one hand, there are only a few local full-service cloud providers competing with the major international cloud providers. On the other hand, there is an increasing number of small and medium-sized cloud providers specialising in a particular type of cloud product, a certain industry or certain use cases.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

Cloud computing is a dynamic and fast-growing market and there is an increasing acceptance of cloud computing in Germany. Not only large enterprises but also an increasing number of small and medium-sized enterprises (SMEs) use cloud computing services. Nevertheless, a study by the Federal Statistical Office of Germany, Destatis, from 2016, states that the extent of use of cloud computing by German companies still depends on the size of the company.

Probably due to the fact that cloud computing is one of the ‘driver technologies’ of the fourth industrial revolution, its use is growing rapidly. Already in 2017, Bitkom - an association representing most of the companies of the digital economy in Germany - spoke of the ‘booming’ use of cloud computing in companies.

According to the Cloud Monitor 2018, two out of three companies in Germany use cloud computing solutions in their company. Pursuant to a statistical report published by Statista, the total turnover in the field of cloud computing in the B2B-sector in Germany is forecast to reach €22.5 billion in 2020.

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

There are several studies publicly available regarding cloud computing in Germany. However, most of these studies are conducted by stakeholders of the cloud computing market and are, therefore, not scientific studies.

The Cloud Monitor (see question 4) is a valuable source of information. The Cloud Monitor is an annual survey of German companies using cloud services, published by Bitkom and KPMG. It provides a good overview of the current trends and developments in the German cloud market.

Furthermore, Destatis offers detailed statistical information on the use of information and communications technology in Germany.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

The federal government funds various scientific projects and business platforms in the context of cloud computing.

For example, back in 2010 the Federal Ministry of Economics and Energy initiated the project ‘Trusted Cloud’. An important element of the project is the ‘Trusted Cloud Platform’ that provides comprehensive information on certificates and standards relevant for cloud computing as well as an independent marketplace for trustworthy cloud services. Prerequisite for listing as a ‘Trusted Cloud Service’ in the marketplace is a contractual warranty from the provider that certain minimum requirements on transparency, data protection and IT-security are met.

Furthermore, in 2017, the Federal Ministry of Economics and Energy initiated the European Cloud Service Data Protection Certification (AUDITOR) project. AUDITOR’s goal is to design, implement and test a sustainable EU-wide data protection certification of cloud services on the basis of the General Data Protection Regulation (GDPR) (see question 15).

In the 2018 Global Cloud Computing Scorecard recently published by the BSA|The Software Alliance, Germany is ranked number one out of 24 countries examined with regard to the regulatory and political framework for cloud computing.

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

There are no fiscal or customs incentives for cloud computing in Germany.

The EU, the federal government as well as the governments of the federal states of Germany offer a wide variety of different funding programmes to promote the digitisation of the European or German economy. Depending on the individual programme, grants, loans or guarantees are granted. In particular, support is provided to SMEs. The Foerderdatenbank provides a comprehensive overview of the available funding programmes. Particularly worth mentioning is the ‘ERP-Digitalisierungs- und Innovationskredit’ programme of the Kreditanstalt für Wiederaufbau (a German federal government-owned development bank). Under this programme, SMEs can obtain low-interest loans of up to €5 million to invest in their digital infrastructure.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

German law does not provide a specific legal framework for cloud computing. In particular, there is neither a ‘cloud’ or ‘IT act’ nor does German contract law provide specific rules for cloud computing contracts. Hence, legal matters relating to cloud computing are governed by the general legal provisions, in particular the GDPR and the German Civil Code.

Consequently, in practice the courts, supervisory authorities and legal literature have a strong role in interpreting the general legal provisions in the context of cloud computing.

The data protection authorities in Germany have already published a joint guideline on cloud computing in 2014. The guideline ‘Orientierungshilfe - Cloud Computing’ provides an overview of the opinion of the German data supervisory authorities on the most relevant data protection issues in the context of cloud computing. However, the legal requirements and references of the guideline still correspond to the old data protection law that applied until the GDPR came into force. A new version of the guideline that takes into account the requirements of the GDPR, in particular the provisions on data processing, is currently being prepared by the German data protection authorities.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Until recently, German law neither directly regulate cloud computing nor was the term ‘cloud computing’ used in German law. As already explained in question 9, there is still no specific legal framework for cloud computing in Germany.

Recently, however, section 2, paragraph 11 of the Act on the Federal Office for Information Security (BSIG) introduced the first legal definition of cloud computing to the German law. According to this definition, ‘cloud computing services’ are services that allow ‘access to a scalable and elastic pool of shareable computing resources’. These services must meet different IT-security requirements if the cloud provider exceeds a certain company size. In particular, sufficient technical and organisational measures must be taken to establish IT security and cloud providers affected by the BSIG must report all security incidents that have a significant impact on the respective cloud service to the Federal Office for Information Security.

This can be regarded as the first direct regulation of cloud computing in German law.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The German law is quite differentiated and includes a wide variety of different regulations that could have an indirect impact on cloud computing. In general, every law that governs business activities in Germany can be applicable on cloud computing. Because cloud computing by itself is not a concept that is specifically recognised in German law, each individual cloud service should to assess which laws and regulations need to be considered. The answer to this question mainly depends on the nature, the purpose and the business context of the respective cloud service.

In any event, data protection law and particularly the new EU Data Protection Regulation EU 2016/679 have a great impact on almost every cloud service and can be regarded as the most important regulation indirectly governing cloud computing (see question 15).

The provision of a service based on cloud technology is in principle not subject to the Telecommunications Act (TKG) even if data is transferred between individual physical servers in the cloud and is therefore not governed by telecommunications regulations.

Exceptionally, however, a cloud service may be subject to the TKG if it includes communication services such as Voice over Internet Protocol, video conferencing, instant messaging or email services. If so, the cloud provider is, inter alia, subject to strict rules on secrecy of telecommunications and has to register with the Federal Network Agency.

Furthermore, the tax regulations relating to the keeping of accounts and records (see section 145 et seqq, Fiscal Code) must be taken into account when outsourcing accounting to the cloud.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

In the event of a breach of the laws governing cloud computing, the following four consequences are relevant:

  • It is conceivable that a competent supervisory authority will initiate administrative proceedings and take the necessary measures to remedy the infringement. The authorities could, for example, impose prohibitions or duties to act on the person responsible. Such administrative acts can be enforced with a fine or by way of substitute performance at the expense of the person responsible.
  • It is conceivable that an administrative fine will be imposed on the person responsible. The possible amount of the fine varies from one law to another and depends on the circumstances of the individual case. However, in particular, a breach of the GDPR (see question 15) can be subject to a very high administrative fine up to €20 million, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  • It is conceivable that a breach of law governing cloud computing can also be a criminal offence, for example, in case of an unlawful deletion or suppression of data by the cloud provider (see section 303a, German Criminal Code) or in case of data espionage of the cloud provider (see section 202a, German Criminal Code).
  • It is conceivable that other market participants or cloud customers assert claims for injunctive relief and damages on the basis of competition law or contract.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

German civil law contains a large number of consumer protection regulations. Important for cloud providers are above all the rules on distance contracts (see section 312c et seqq, German Civil Code) that impose extensive information duties on the cloud provider concerning its identity, its contact details and the modalities of the relevant cloud service. Furthermore, the consumer, in principle, has the right to withdraw from a distance contract on cloud computing services within a period of 14 days.

Moreover, there are limitations for the use of standard business terms in B2C contracts. Section 308 and section 309 of the German Civil Code stipulate a comprehensive catalogue of prohibited clauses. For example, there are restrictions for the exclusion or limitation of liability as well as on the duration of the contract and on price increase clauses. Additionally, there is a general test of reasonableness of the content of standard business terms, which is handled very strictly by the courts with regard to standard business terms for B2C contracts.

Experience shows that most of standard business terms designed for cross-country use not do not comply with these provisions. Hence, it is advisable to use specific standard business terms for the German and European market.

For the sake of completeness, it should be noted that it is not possible to exclude the application of these provisions by a choice of law of foreign law because the Regulation (EC) No 593/2008 (Rome I) forbids any choice of law that have the result of depriving the consumer of the protection afforded to him or her by provisions of the country of its habitual residence if this is a member state of the EU.

Attention should also be paid to the provisions on alternative dispute resolution laid down in Regulation (EU) No 524/2013 and the Act on Alternative Dispute Resolution in Consumer Matters which, inter alia, includes several information duties.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

As already discussed, the BSIG imposes IT-security requirements on cloud services if the cloud provider exceeds a certain company size (see question 10). Besides this, the BSIG also addresses operators of ‘critical infrastructures’. Companies in the water, energy, nutrition, health, telecommunications, finance, insurance and logistics sectors may therefore be obliged to meet the IT-security requirements laid down in the BSIG when using cloud services and only collaborate with cloud providers that also meet these requirements.

In addition, there are other industry-specific regulations that can impose special organisational obligations on companies or restrict the outsourcing of business processes to the cloud. Such regulations exist, for example, for:

  • the financial sector (see the Banking Act; the Payment Services Supervision Act; the Securities Trading Act; and the Investment Code);
  • the insurance sector (see the Act on the Supervision of Insurance Undertakings);
  • the telecommunications sector (see TKG);
  • the energy sector (see the Energy Industry Act); and
  • the healthcare sector.

In practice, these regulations are specified by comprehensive interpretative decisions of the supervisory authorities such as the Minimum Requirements for Risk Management for the financial sector and the Supervisory Requirements for IT in Financial Institutions published by the Federal Financial Supervisory Authority.

In cases where customers are bound to a special professional secrecy, such as lawyers, tax consultants or health care providers, special attention should be paid to section 203, Criminal Code that makes the unauthorised disclosure of professional secrets a criminal offence and only permits the transfer of such secrets to the cloud under restrictive conditions. Furthermore, professional law should also be taken into account in these cases.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

No specific cloud computing or IT insolvency law exist. Thus, the general legal framework, in particular, the German Insolvency Statue, is applicable to a cloud provider in the event of insolvency.

If a cloud provider files for insolvency, in most cases, an insolvency administrator is appointed. The insolvency administrator is, in principle, entitled to refuse to perform the cloud contract at its discretion. If so, the customer is entitled to claim the separation of his or her data stored in the cloud (section 47, Insolvency Statue). This means that the customer can request the insolvency administrator to transmit the data stored in the cloud to him or her or to delete the data from the cloud but also that the insolvency administrator can immediately stop the provision of the respective cloud service.

Alternatively, the insolvency administrator may decide to continue the cloud contract. In this case, cloud services will continue to be available even during the insolvency proceedings. However, from the customer’s perspective, it is very uncertain if and for which period of time the cloud provider is financially able to continue the provision of the cloud services. Hence, it should be carefully assessed whether the cloud contract could be terminated by the customer.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

On 25 May 2018, the Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) became effective. The GDPR stipulates a comprehensive framework for the processing of personal data. The use of cloud computing generally entails the processing of personal data by the cloud provider, whether the data is contained in user log-in credentials or in content stored or processed by means of the cloud.

The GDPR applies, inter alia, to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. Hence, the GDPR must always be taken into account if the cloud provider is located in the EU or if the customer is subject to the GDPR.

The GDPR sets high standards to the processing of personal data. In case of non-compliance substantial administrative fines can be imposed on the customer or the cloud provider. Infringements of the GDPR can be subject to administrative fines up to €20 million, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The German supervisory authorities are becoming more and more active in enforcing the GDPR. Therefore, compliance with GDPR is very important and can be regarded as a key challenge in setting up new cloud services as well as in the daily business of cloud computing.

All provisions set out in the GDPR basically are aimed at fulfilling and safeguarding the following general principles. Personal data will be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (accuracy);
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (storage limitation); and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

Furthermore, the controller will be responsible for, and be able to demonstrate, compliance with the GDPR at any time (accountability).

If one picks out the rules within the GDPR that are particularly important for cloud computing, it would be the provisions concerning data processing and data transfer to third countries.

The cloud provider processes customer content uploaded to the cloud for and on behalf of the respective customer and not for its own purposes. Accordingly, the cloud provider is to be qualified as the customer’s data processor within the meaning of article 4, paragraph 8, GDPR. Consequently, article 28, GDPR, which stipulates special requirements to the data processing, is applicable to cloud services.

First of all, the customer is obliged to choose carefully the right cloud provider. The customer should use only cloud providers providing sufficient guarantees to implement appropriate technical and organisational measures in order to ensure that the data processing will meet the requirements of the GDPR.

Furthermore, the cloud provider and the customer are obliged to agree on a data processing agreement that includes the necessary content laid down in article 28, paragraph 3, GDPR.

If the infrastructure of the respective cloud service is located in a third country (ie, outside the EU), the cloud service is subject to the special provisions for a transfer of data to third countries laid down in article 44 et seqq, GDPR. Any transfer of personal data to the relevant cloud service in principle will take place only if an adequate level of data protection is ensured in the relevant third country.

Such transfer of personal data may take place where the cloud infrastructure of the respective cloud service is located in a country that is subject of an adequacy decision of the European Commission. At present, this includes Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay. Transfer to the US is possible under the condition that the relevant cloud provider meets the requirements stipulated in the EU-US Privacy Shield.

If there is no such adequacy decision, it is necessary that the relevant cloud provider provides appropriate safeguards for the respective cloud service as set out in article 44 et seqq GDPR. The most important instruments to do so in practice are the ‘standard data protection clauses’ (SDCs). The SDCs are provided by the European Commission and need to be entered into between the cloud provider and the customer as a binding contract.

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

In civil court jurisdiction and in the German legal literature, it is controversial which provisions of the contract law (see German Civil Code) may apply to cloud computing contracts. So far, there is no common opinion on this issue. However, in essence, one may state that most of the cloud contracts are a hybrid of different contract types.

Against this background, it is common practice in Germany to regulate all issues relevant to the parties in connection with cloud services by detailed individual contractual agreements or by comprehensive standard business terms.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Article 3, paragraph 1 Regulation (EC) No. 593/2008 (Rome I) provides the parties of a B2B public cloud computing contract the freedom of choice on which law should govern their contractual relationship.

Which law is actually chosen by the parties usually depends on where the cloud provider is located. Most of the German cloud providers are not willing to agree on the application of foreign law on their cloud services and only accept an explicit choice of German law, which would be applicable anyway if no explicit choice of law was made. Contrary to that, the standard business terms of the major international cloud providers usually contain a choice of law clause in favour of the law of the country in which their headquarters is located or in favour of a third country.

The competent jurisdiction is normally determined in accordance with the law chosen by the parties.

The enforceability as well as cross-border issues are generally not subject to special contractual terms. However, on the basis of the Regulation (EU) No 1215/2012 (Brussels I), a judgment given in a member state of the European Union will be recognised in the other member states without any special procedure being required and is enforceable in any other member state without any additional declaration of enforceability.

Alternative dispute resolution is becoming more common regarding disputes arising from B2B public cloud computing contracts. However, the contractual agreements on this issue are very different and best practice has not yet been established in Germany.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Agreements on the remuneration of the cloud provider vary depending on the service. SaaS are often charged by the number of users/per application. IaaS and PaaS are often billed according to the volume of data processed. It is common that additional fees are charged for supporting services (eg, consulting, training, data migration). Many contracts contain a price increase clause, which must, however, meet the strict requirements of the Price Clause Act in order to be effective. If such clause is contained in standard business terms, the provisions of the German Civil Code on prohibited clauses (section 307 et seqq) must also be taken into account.

B2B public cloud computing contracts in Germany usually contains rules on the acceptable use or refer to an ‘acceptable use policy’. Such rules usually prohibit the use of cloud services for any kind of illegal activities, in particular using the cloud services for the infringement of intellectual property rights, to send spam emails, to carry out denial-of-service attacks or to distribute malware.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Usually B2B public cloud computing contracts in Germany require the cloud provider to take measures in order to ensure the confidentiality of the data processing and the integrity and availability of the processed data. It is common practice to agree on an addendum to the contract that includes a detailed catalogue on the technical and organisational measures to be implemented by the cloud service provider. Furthermore, the cloud service provider is often obliged to comply with information security standards such as the ISO/IEC 27000 Series and to provide the customer with a certification according to these standards.

With regard to the GDPR, which permits the transfer of personal data to third countries only under strict conditions (see question 15), some German customers require that the data processing should only take place on servers located in Germany or in the EU. Most of the German and the major international cloud providers offer such geographical restriction for an additional charge.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

It is common practice that cloud providers attempt to limit their liability in their standard business terms. In most of the commonly used liability limitation clauses, the liability of the cloud provider is limited to personal damage, damage caused by gross negligence or wilful misconduct, damage caused by material breach of contract and claims arising from guarantees or the basis of the Product Liability Law. Additionally, liability is often limited to the typical and foreseeable damage or to a certain amount in total for all claims arising from the respective cloud contract or to a certain amount per event of damage.

For limitations beyond what is stipulated above, it is questionable if such liability clauses comply with German law, which only allows limitation of liability clauses in standard business terms to a very limited extent (see section 307 et seqq, German Civil Code).

The quality and the availability of the cloud service to be provided is usually determined by a detailed service level agreement (SLA). The SLA usually also contains sanctions (eg, contractual penalties, price reductions) in the event that the cloud provider does not meet the requirements set out in the SLA.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

In the SaaS model, the cloud provider usually guarantees that it holds all necessary intellectual property rights to provide the SaaS to the customer or that the necessary licences have been granted by the rights holder. In the event that a claim is made against the customer by a third party due to an alleged infringement of intellectual property rights by the respective cloud service, the cloud provider is obliged to defend the customer and, if necessary, indemnify the customer from the claim to reimburse him or her for the costs of legal defence.

The customer usually guarantees that their use of the cloud service does not constitute an infringement of third-party rights. The cloud provider regularly reserves the right to temporarily suspend the provision of the cloud service if there is reasonable evidence that the customer infringes third-party rights by using the cloud service or processing unlawfully collected data with the cloud service. The cloud provider is obliged to immediately inform the customer on the suspension of the cloud service and to make the cloud service immediately available again if the suspicion of illegal activities is not confirmed.

Additionally, the general provisions on liability and on the consequences of a breach of contract apply because the infringement of intellectual property rights or an illegal use of the cloud service constitutes a breach of contract.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Often a minimum contract term is agreed. A minimum contract term of one or two years is common practice. Most of these contracts are automatically extended (usually by one year) if the contract is not terminated on time (often with three months’ notice to the end of the calendar year).

It is also popular to agree an unlimited contract term with a right of periodic termination (for example, at the end of each quarter). In many cases, the right to ordinary termination is then excluded for a certain period (usually one to two years).

Furthermore, detailed agreements are regularly made for termination without notice for a compelling reason. The reasons for such a termination are often specified by way of examples that, typically, include a significant deterioration of the financial situation of the contractual partner, significant payment defaults by the customer as well as significant defects and failures of the cloud service.

Regarding the consequences of termination, it is common practice to clarify that all data stored in the cloud by the customer must be returned without undue delay. Often the cloud provider is obliged to support the customer in migrating his or her data from the cloud to another cloud provider or to the customer’s own IT system. Additionally, it is usually regulated how long the cloud provider has to store the customer’s data after a termination and what additional service fees the provider may charge.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

If a customer of cloud services has a works council, the provisions of the Works Council Constitution Act must be taken into account when introducing and using cloud services. The customer may be obliged to inform the works council on the introduction of a new cloud service and to discuss the effects of the respective cloud service on employees with the works council. In addition, the works council may also have mandatory statutory co-determination rights.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

A cloud provider located in Germany and using infrastructure located in Germany is subject to German income tax. The German income tax is governed by various laws - in particular, the German Corporation Tax Act and the German Income Tax Act.

In cross-border cases, for example, a German cloud provider uses infrastructure in foreign countries or a foreign cloud provider uses infrastructure in Germany, the crucial question is if and where a permanent establishment exists in order to determine in which country and to what extent the incomes of the respective cloud service are subject to income tax. In these cases, double taxation agreements are particularly relevant.

Additionally, cloud providers operating their business in Germany may be subject to trade tax charged by the municipalities.

Both, the income tax and the trade tax are, in principle, calculated on the basis of the annual profit. According to the OECD, in 2016, the average combined corporate tax rate - considering income tax and trade tax - was 29.83 per cent.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

There are no specific taxes imposed on cloud services. However, cloud service provided in Germany can be subject to the German VAT depending on where the cloud provider and the customer are located.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

There are no notable cases in the past three years in Germany that have directly involved cloud computing as a business model.

Update and trends

Update and trends

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

The implementation of the GDPR is a main challenge in the context of cloud computing. Many provisions of the GDPR are formulated rather vaguely and generally. In practice, there are many uncertainties in the interpretation of the GDPR, which are still to be clarified by the courts, the supervisory authorities and the legal literature. This development requires constant monitoring and, if necessary, adjustment of the measures taken to implement the GDPR.

Furthermore, it is currently being discussed in Germany and at EU level whether the legislator should regulate the ownership of non-personal data as a specific right and how such a right could be structured. In particular, the question arises as to who should retain ownership of newly generated data. The creation of such data ownership would likely have a significant impact on the design of contracts for cloud services.

There are currently no significant reform projects on the legal framework for cloud computing in Germany.