Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

All types and service models of cloud computing are used in Germany. In the private sector, and both in B2B and B2C relationships, the use of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and platform-as-a-service (SaaS), including storage, is common. Due to security concerns, companies prefer private cloud computing rather than a public cloud. However, according to the most recent ‘Cloud-Monitor’ - a study by German industry association Bitkom - public cloud models are gaining ground, with more and more companies willing to store information in public clouds. Nevertheless, the most important factor for companies in selecting a cloud provider is compliance with the EU General Data Protection Regulation (GDPR).

German government agencies also increasingly rely on the ‘federal cloud’, a light house project established in 2016 and operated by the Federal Information Technology Centre (ITZ Bund). The federal cloud offers all service models including IaaS (eg, Federal Cloud Server), PaaS (eg, Federal Cloud Development Environment) as well as SaaS (eg, Federal Cloud Runtime Environment) and is to become the standard for federal authorities. It ensures that all data are stored on servers within Germany. In addition, and subject to certain requirements, federal and regional public authorities also use cloud services offered by private German and global providers.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

Apart from the three most prominent cloud service providers, Amazon (Amazon Web Services), Microsoft (Azure) and Google (Google Cloud Platform), many other global enterprises offer cloud services in Germany. Especially IBM, Alibaba, Deutsche Telekom, Oracle, Exoscale and Profitbricks hold an appreciable position on the German cloud computing market.

The German business community is increasingly opening up to both existing and new cloud services. The market is likely to remain attractive and profitable for the industry’s global players.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

Even though two-thirds of all cloud users rely on global providers, there is a distinctive market in Germany for local cloud providers offering their own variety of services. These smaller players (eg, Strato) offer secure and innovative cloud solutions, and often specialise in a particular type of cloud solution or service.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

The German cloud computing market offers diverse solutions and services, and is fast-expanding. Cloud services are accepted and used by a growing number of companies, including numerous small and medium-sized enterprises (SMEs). Also, Microsoft is reported to reintroduce a new version of its German cloud after previously having discontinued this service for German customers in September 2018. According to statistical reports published by Statista, currently the German market’s volume is €4.5 billion for SaaS, €421 million for PaaS, and €705 million for IaaS. Total turnover for the (B2B) cloud computing sector is forecast to be €22.5 billion in 2020.

Bitkom’s ‘Cloud Monitor 2019’ also evidences that cloud computing in Germany continues to grow. In 2018, three out of four companies (73 per cent) used cloud computing services, compared to two-thirds (66 per cent) in 2017. A further 19 per cent of the enterprises surveyed intend to use a cloud in the future. For only 8 per cent of enterprises, cloud services are not an option. Remaining concerns, especially of smaller enterprises, are data protection or integration issues, and fear of losing control of the cloud computing service.

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

Several studies on cloud computing in Germany are publicly available (eg, Bitkom’s annual Cloud Monitor, see question 4) or studies by the Federal Office for Information Security (BSI). In addition to market figures, trends and the overall attitude of companies as regards cloud computing, such studies also provide more specific insight, such as the decisive factors for cloud users in Germany and of the remaining challenges of cloud computing for German enterprises.

Recently, the European Commission launched a study to assess current and future energy consumption and state-of-the-art cloud computing services in Europe. The study aims to develop recommendations for energy-efficient cloud computing, particularly regarding future research and development, green public procurement and market policies. The study is expected to be finished in early 2020.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

There is no government policy generally promoting establishment of cloud computing centres in Germany. Rather, the programmes in place encourage cloud providers to meet certain quality and security standards, thereby improving their market position.

One example is the Trusted Cloud project, originally a governmental subsidy programme that today is led by a non-profit organisation. The project provides certification (Trusted Cloud Label) and a marketplace for ’trusted’ cloud services through the Trusted Cloud Portal. The criteria for certification include IT and data security, quality and transparency, data protection and service contracts (details on www.trusted-cloud.de). The portal aims at both cloud users and providers; however, primarily it targets SMEs.

The government agency BSI offers another standard, ‘Cloud Computing Compliance Controls Catalogue’ (C5), which primarily addresses large and medium-sized enterprises and focuses on IT security and transparency. C5 is more detailed with higher thresholds than Trusted Cloud, and C5 certification is deemed to also evidence that the requirements for TOMs under GDPR are met.

The German federal government also provides for its own ‘federal cloud’ infrastructure (see question 1), which currently is only available to federal institutions.

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

There are no specific tax or custom incentives or other government subsidies for cloud computing in Germany.

However, both the federal government and the governments of the German federal states offer a wide variety of state aid programmes to promote digitisation of the European or German economy. In particular, support is provided to SMEs for digitisation projects, but usually only for the users of cloud infrastructures (and not for providers). The platform www.foerderdatenbank.de provides a comprehensive overview of available subsidies.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

There is no legal framework in Germany specifically for cloud computing. Therefore, cloud computing services are subject to general laws such as the German Civil Code, the German Commercial Code, the GDPR, the German Copyright Act or the rules against unfair competition.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The only specific legislation governing cloud computing is German IT security law (BSIG), which now also implements the EU NIS Directive. The BSIG imposes certain IT security obligations on providers of critical infrastructure.

Pursuant to section 2, paragraph 11 No. 3 BSIG, cloud computing qualifies as ‘digital services’ that enable ‘access to a scalable and elastic pool of commonly usable computing resources’. Generally, cloud computing services do not fall under the definition of critical infrastructure of the BSIG and associated regulations (except for cloud services operated by state or federal administration, eg, the ‘federal cloud’). However, non-governmental cloud services may qualify as critical infrastructure for the information technology and telecommunications sector in the future, and would then have to meet requirements under BSIG. Also, and more importantly, where a provider of a critical infrastructure uses a cloud service, it will try and contractually impose the legal requirements on the cloud provider.

BSIG stipulates various IT security requirements for providers of cloud services of a certain size, including the obligation to take adequate technical and organisational measures to maintain a level of IT security that minimises risks to the security of the network and information systems used for the service. Cloud providers that are subject to BSIG also must report to BSI all security incidents that have significant impact on the respective service.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

A variety of German regulations and legislation may have indirect impact on cloud computing services. In addition to the general provisions of the German Civil and Commercial Codes and the rules against unfair competition, particular attention should be paid to the relevant data protection provisions of the GDPR and the German Data Protection Act. However, each cloud computing service may face specific issues depending on its business model and offerings.

Software made available via cloud computing may be subject to German copyright law. While software packages made available via cloud are usually used online without being copied to the user’s device, the use may still qualify as an action that requires a licence (contrary to a mere copyright neutral enjoyment of a work).

The provisions of the German Telecommunications Act (TKG) may apply to cloud computing services only in exceptional cases (ie, if the service qualifies as a telecommunications service within the meaning of section 3, No. 24 TKG, eg, because it includes Voice-over-Internet-Protocol, video conferencing, instant messaging or email services). In this case, the service would be subject to strict rules of secrecy of telecommunications and obliged to register with the Federal Network Agency.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

Under German law, there is no general consequence applying to legal violations in the context of cloud computing. Depending on which provisions are violated, the following main types of consequences or sanctions must be considered.

If providers or customers do not comply with regulatory requirements, this may trigger administrative proceedings. This may, for example, result in investigations, conditions to be completed or even prohibition of the practice complained about, or, in exceptional cases, of the respective cloud service.

In the case of certain infringements, supervisory authorities may also impose administrative fines on cloud providers or users, for example, in the area of data protection. According to the GDPR, fines of up to €20 million or 4 per cent of the worldwide turnover of the preceding financial year, whichever is higher, may be imposed on providers or customers who operate or use cloud computing services not in compliance with the requirements.

Certain particularly serious infringements may result in criminal liability. Currently, German law only holds individuals liable under criminal law (however this may change as it is being discussed to extend criminal liability to enterprises). For example, employees of the cloud provider may be liable to prosecution for certain forms of illegally tampering data. In addition, if a cloud provider is commissioned by persons subject to professional secrecy (eg doctors, attorneys, tax advisors), the provider’s employees may also be liable if they disclose information protected by professional secrecy to third parties (section 203, paragraph 3 German Criminal Code).

If cloud providers violate certain regulations of unfair competition law, competitors or customers may claim injunctive relief or damages, or both. As far as consumer protection regulations are concerned, also consumer protection organisations are entitled to issue warnings against such cloud providers and to claim injunctive relief.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

German law provides for a range of consumer protection measures, of which the rules on distance selling (sections 312c et seq German Civil Code) have notable impact on cloud services. Among other obligations, providers are subject to extensive information requirements (eg on provider details, scope of services, total costs, warranty). Consumers also have a 14-day withdrawal right from the contract.

In addition, the provisions in sections 305 et seq German Civil Code on the use of standard terms and conditions restrict provider-friendly drafting, and prohibit surprising or unequitable terms, particularly in B2C contracts. Restrictions include controls on the exclusion and limitation of liability, dispute resolution clauses, venue and governing law, contractual penalties, or contract term. These provisions are mandatory law that, vis-à-vis customers residing in Germany, cannot be circumvented by choice of a different law.

Regulation (EU) No. 524/2013 on online dispute resolution for consumer disputes imposes further information obligations on providers.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

There is no general cross-industry and cross-sector legislation for cloud computing in Germany. However, the BSI Act (BSIG) contains industry- and sector-specific IT security requirements for operators of critical infrastructure such as energy, telecommunications, insurance or health. If companies in these critical sectors use (or provide) digital services such as cloud computing, they may have to comply with increased requirements for technical and organisational measures to protect their IT systems, and to report significant IT security incidents to BSI. In 2017, BSI also published a Cloud Computing Compliance Controls Catalogue (C5; see also chapter 6) defining criteria for assessing IT security of cloud services. Based on international standards, C5 provides companies with a uniform and generally recognised framework for ensuring IT security in cloud computing.

In addition, companies in specific sectors need to comply with industry-specific legal requirements, for example:

  • the German Banking Act, Payment Services Supervision Act, German Securities Trading Act, Investment Act regulate the financial sector;
  • the Insurance Supervision Act applies to insurance companies;
  • Companies in the energy sector are subject to the Electricity and Gas Supply Act; and
  • the telecommunications sector is governed by the TKG.

Companies in the healthcare and legal sectors are subject to certain provisions of the German Criminal Code and rules of conduct.

The respective supervisory authorities usually issue guidelines to specify these sector-specific requirements. For example, federal financial supervisory authority BaFin provides detailed information on the legally compliant use of IT, including cloud computing, for the financial sector, particularly regarding IT security, contractual design and data protection. In the public sector, the resolutions of the Council of IT Officers (2015) and the IT Planning Council (2016) provide criteria for the use of cloud services by the federal administration (cloud services of private providers may only be used subordinately, and data may only be stored in Germany and may not be subject to disclosure or publication obligations, such as the US CLOUD Act).

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

As there is no specific insolvency law for providers of cloud computing or other IT services, the general German Insolvency Statute applies (if German insolvency law is applicable under conflict of laws rules).

For most insolvent companies an insolvency administrator will be appointed. The administrator is generally free to either continue to perform, or to refuse to perform, the ongoing obligations of the cloud computing contract.

If the customer of a cloud provider becomes insolvent, the administrator is likely to refuse performance of the contract and to cease payments, in which case the provider is entitled to cease provision of the services due to payment defaults. The administrator may also elect to continue the contract for a limited time if necessary (and feasible) for the administered company but then needs to pay for (future) services.

If the cloud provider files for insolvency, the administrator may choose to refuse performance (ie, stop the provision of services). In this case, customers should in most cases be entitled to claim separation of their stored data, and the migration or deletion of such data. The practical enforceability of such a claim may, however, depend on whether the insolvency estate has sufficient funds to operate the respective servers. If not, the administrator (or hardware provider) will switch off the servers and prevent further access to the customers’ data. Should the cloud provider’s administrator elect to continue the contract, the services will be available irrespective of the insolvency proceedings. Customers will then have to assess whether they have a contractual right to terminate the cloud computing contract, which remains enforceable in the provider’s insolvency.

A contractual termination right in the event of the other party’s insolvency is often unenforceable under German law.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

In Germany, any (automated) processing of personal data is governed by the GDPR and the supplementing provisions of the Federal Data Protection Act. If cloud solutions are used, login data and other content containing personal data are typically transferred to and processed by the provider. Therefore, ensuring compliance with applicable data protection law is a crucial issue for cloud computing services.

GDPR applies to cloud providers and customers established in the EU/EEA, regardless of whether the processing of data takes place in the EU/EEA or the data pertains to EU/EEA residents. Providers established outside the EU/EEA may also be subject to GDPR, particularly if they address the German market or offer cloud services to individuals residing elsewhere in the EU/EEA. If they offer their services to corporate customers established in the EU/EEA, those customers will impose certain obligations under GDPR on cloud providers by means of a data processing agreement, standard contract clauses and similar instruments.

GDPR stipulates various requirements for the processing of personal data. If a provider or customer fails to comply with relevant requirements, fines of up to €20 million or 4 per cent of the worldwide turnover of the preceding financial year may be imposed, depending on the nature and severity of the infringement. In addition, the supervisory authority may carry out investigations including data protection audits, or order the respective entity to remedy the violation (eg, to change processes or even to cease using a particular service).

The following requirements are particularly relevant for cloud computing.

From a GDPR perspective, it is usually the cloud user who is deemed responsible controller deciding on the processing of personal data, while the cloud provider is deemed to process data on behalf of the user. To comply with GDPR, the parties must conclude a data processing agreement with certain minimum contents pursuant to article 28 GDPR. This includes provisions obligating the cloud provider to only process data per the customer’s instructions, and to not use subcontractors without the customer’s consent.

If cloud services are based on infrastructure located outside the EU/EEA, personal data are transferred to third countries. If there is no adequacy decision adopted by the EU Commission for the respective third country (eg, the United States), under GDPR the parties are required to ensure appropriate safeguards achieving an adequate level of protection. To that end, providers (and any subcontractors) and customers usually enter into EU standard contract clauses for processors. If the provider or subcontractor is located in the US, they can alternatively obtain certification under the EU-US Privacy Shield, which also establishes an adequate level of protection.

Cloud providers must also sufficiently evidence to have implemented appropriate technical and organisational measures (TOMs) for data processing, and to ensure protection of the rights of customers, employees, or other third parties.

To provide practical guidance on how to use cloud computing solutions in compliance with data protection law, German supervisory authorities have issued a joint guideline. This guideline ‘Cloud-Computing Version 2.0’, issued in 2014 by the Conference of Data Protection Commissioners of the Federal Government and the States, summarises the most important risks when processing data in clouds, requirements for the contractual set-up of cloud services, and recommendations for technical and organisational requirements. Since the guideline still refers to the legal situation before GDPR entered into force, an updated version is currently being drafted.

For cloud providers subject to US law, the obligations to disclose data under the US Cloud Act is particularly problematic. According to a statement of the European Data Protection Board, there is no valid legal basis for such data transfers to authorities in the US except in few exceptional cases. Furthermore, it is unclear whether customers also violate the GDPR, and therefore risk a fine, when using a US cloud provider.

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

As cloud services exist in various forms, their provision cannot uniformly be characterised as a specific type of contract under German law. There is also no consistent case law on this issue. While most cloud computing contracts will be a hybrid of different contract types, the following may serve as a guideline:

  • IaaS: The provision of storage capacity usually qualifies as a lease contract, while the provision of computing power classifies as a service contract;
  • PaaS: Access to infrastructure for development tends to be a lease contract; and
  • SaaS: Such contract on providing software usually qualifies as a lease contract (or a loan contract if the SaaS service is free of charge).

However, accurately classifying a cloud computing contract will always depend on the individual circumstances. To minimise the considerable legal uncertainties, cloud computing contracts (both individual contracts and standard business terms) typically comprehensively describe the terms of use of the respective services as well as other relevant issues.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

According to article 3 of the Rome I Regulation (EC No. 593/2008), the parties in B2B cloud computing relationships are free to choose the governing law both in individual contracts or standard business terms. For German cloud providers, the choice of German law is usually non-negotiable, whereas large global providers regularly insist on the law of the country of their primary establishment.

The place of jurisdiction is typically chosen corresponding to the governing law. Agreements on enforceability or (other) cross-border issues, however, are uncommon in cloud contracts.

Arbitration clauses have become more common in cloud contracts, but still are not typical in Germany.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

If the cloud service is not free of charge, the cloud computing agreement usually provides for prices and payment modalities. In the case of IaaS and PaaS, providers often charge by time or volume of processed data, based either on actual usage (actual on-demand service) or on capacity held. SaaS are often billed at a fixed price per user or application, or based on actual usage (eg, per time). Additional services such as training or data migration are usually charged separately.

Price adjustment clauses in cloud computing contracts are quite common. In order for such clauses to be enforceable, the price increase may only be linked to comparable products pursuant to the German Price Clause Act. If the price adjustment is included in standard business terms, it must also meet the requirements in section 305 et seq German Civil Code, particularly regarding transparency and adequacy or equity. Benchmarking clauses are probably more common.

Most cloud computing contracts include an acceptable use policy (AUP) which prohibits the use of the services for illegal activities (eg, infringing third-party intellectual property or other rights, sending email spam, or spreading viruses or other malware). Often, such AUP also prohibits excessive use. If users violate these rules, the cloud provider typically reserves the right to terminate the contract.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Data protection is an indispensable issue in cloud computing because of the underlying processing of personal data and its inherently cross-border nature. Nevertheless, cloud framework agreements typically do not contain detailed data protection provisions in their main body, but refer to stipulations in annexes. Mostly, the customer and the cloud provider enter into a data processing agreement in accordance with article 28 GDPR. Where international data transfers take place, EU standard contract clauses are typically concluded and added as another annex.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

As the contractual relationship is often based on the cloud provider’s terms and conditions, their liability is typically excluded as far as legally permitted, and capped at a maximum amount either per event of damage or for all claims arising from the contract.

However, according to German law governing standard business terms, standard terms may not limit liability for damage to life and health and for damage caused by gross negligence or wilful misconduct. To enforceably further limit or exclude the provider’s liability, the liability clause needs to be individually negotiated.

Most cloud contracts include specific Service Level Agreements (SLAs) containing performance obligations, obligations regarding the availability of service or timely response of a helpdesk, etc. The customer will typically have to accept the provider’s standard SLAs. While SLAs usually contain sanctions such as penalties or price reductions for failure to meet the stipulated standard, such penalties are often limited to fairly low amounts.

Further, a cloud contract should contain warranties regarding business continuity and disaster recovery.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Typically, the provider grants to the customer a non-exclusive, non-transferable licence to use the provider’s platform and - for example, for SaaS services - the provider’s access or other software. The provider usually warrants to hold all necessary rights or licences to provide the services to the customer. The provider may further agree to defend and hold harmless the customer from any claims made against it by a third party due to an alleged infringement of IPR by the cloud service. However, such indemnification by the provider is not typical unless the customer has considerable leverage.

The customer may not modify the provider’s software or use it in any unauthorised way, and has to impose any obligations and usage restrictions under the cloud computing contract on their customers. The customer will need to warrant that it holds all necessary rights to content stored in the cloud, and that the storage, use or transfer of the contents does not violate applicable laws or third-party right. The customer must also hold harmless and indemnify the provider from and against any third-party claims (including reasonable legal costs) made owing to unlawful actions or a breach of warranty by the customer.

The cloud provider regularly reserves the right to suspend provision of service, or even terminate the contract, if there is reasonable evidence of a violation of third-party rights or other unlawful use of the service by the customer (or any of its customers). The provider will sometimes also reserve the right to perform licence audits, and oblige customers (and their customers) to cooperate in such audits.

Also, for any breach of IPR warranties or obligations, the (contractual and/or statutory) general provisions on liability and on the remedies for breach of contract apply, including injunction of the violation and payment of damages.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Cloud computing contracts can be entered into for an unlimited contract term or for a fixed term, (typically for one or two years). However, usually any fixed term will be extended automatically if the contract is not terminated by one of the parties.

Any cloud services contract may further usually be extraordinarily terminated without notice for good cause. The conditions for extraordinary termination as well as circumstances establishing a ‘good cause’ are usually specified in cloud computing contracts. They commonly stipulate a right of extraordinary termination in the event of serious and repeated breaches of duty, such as major failures of the cloud service or significant payment defaults by the customer.

It is highly recommended to provide for an exit management. Otherwise, there is a risk that the cloud services will cease to be available to the customer immediately after the contract is terminated. As part of the exit management, the cloud provider is typically obliged to continue to provide services for a specified period after termination of the contract, and to support the user in transitioning the cloud services (and migrating data) to a new provider’s (or the user’s own) systems.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

The introduction of cloud computing services by a company may be subject to participation rights of third parties under German employment law.

If a data protection officer has been appointed by the company, they must be informed prior to the introduction of cloud computing applications qualifying under article 38 GDPR and sections 6 and 38 of the Federal Data Protection Act.

If a works council exists in a company of cloud computing, it must be informed about the introduction at the preliminary planning stage. The works council also has a right of co-determination with respect to the introduction and use of technical equipment intended to monitor the behaviour or performance of employees, which is why the introduction of cloud computing services, owing to its technical possibilities, may require prior consent of the work council.

While unlikely, the introduction of cloud computing may qualify as a change of business if it leads to extensive changes in the company’s organisation or work processes, or triggers a major reduction in personnel. In this case, a reconciliation of interest procedure with the works council would have to be conducted, as well as a social plan concluded.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

Companies established in Germany are subject to income tax and trade tax (regarding VAT see question 25). Any individual or corporation starting a business in Germany is obligated to notify the responsible tax office before commencing business.

Income tax for individuals is governed by the German Income Tax Act and for corporations by the German Corporate Income Tax Act. Partnerships as such are not subject to income tax but treated as transparent and the profit shares are to be taxed by its partners. For individuals the tax rates vary from 14 per cent to 45 per cent. For corporations the tax is 15 per cent. In addition, there is a ‘solidarity surcharge’ of 5.5 per cent on the amount of income tax due.

Businesses (and partnerships) are also subject to trade tax. The basis for trade tax is the taxable profit for income tax purposes with certain additions and reductions. The tax rate depends on the place of establishment, and generally varies from 7 per cent to 18 per cent.

In addition, companies may be subject to withholding obligations. The most important withholding taxes for cloud computing providers are for the salaries of its employees (wage tax) and on licence fees (at a rate of 15 per cent) if paid to recipients outside Germany.

Foreign cloud computing companies providing services to customers in Germany are not subject to income tax or trade tax unless they maintain a permanent establishment in Germany. While the use of storage capacity on computers located in Germany as such is not considered to create a permanent establishment, maintaining (owned or rented) computers in a designated area of a building may qualify as permanent establishment and trigger income and trade tax liability. The fees paid for cloud computing services are generally not qualified as licence fees, and therefore not subject to withholding tax if paid by German customers to foreign cloud providers.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

Regarding VAT on cloud computing services supplied from outside of Germany to customers in Germany, there is a distinction between services rendered to VAT payers and services rendered to consumers.

For B2C transactions, cloud computing services qualify as electronic services, which are deemed to be supplied and subject to VAT at the place of the customer’s residency or establishment. Hence the provider is liable for VAT, at a standard rate of 19 per cent.

For B2B transactions, although the service is deemed to be performed and subject to VAT at the place of the customer’s establishment, not the supplier but the customer is liable for the tax (reverse charge mechanism).

The fact that the customer is a business must be evidenced by providing a valid VAT identification number.

Foreign cloud computing companies rendering only electronic services to consumers in Germany may claim any VAT incurred in Germany under the refund procedure.

If cloud computing takes place between two German parties, and only local facilities are used for the service, there are hardly any tax differences compared to other commercial services.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

In the past three years, there has not been notable German case law, nor have there been commercial, private, administrative or regulatory determinations in Germany, directly involving cloud computing as a business model.

Update and trends

Key developments of the past year

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

Key developments of the past year27 What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

From a purely legal perspective, and leaving business considerations aside, the main challenges for both providers and users of cloud services certainly are security, meeting legal and industry security requirements as well as balancing effective and customer-friendly workflows against proper security safeguards. While there currently are no cloud-specific legislative initiatives, etc, there are several envisaged changes that will certainly affect cloud providers, such as the planned revision of the EU product liability directive (and its implementation into national laws).