+GC-05 Information on how investigation requests from government agencies are handled

1. Übersicht

GC-05 Information on how investigation requests from government agencies are handled

In the description of the cloud service provider's system of internal control relevant to the development and operation of the cloud service, the cloud service provider presents comprehensible and transparent information on how investigation requests by government agencies for access to or disclosure of cloud service customer data are handled. The information includes the following aspects:

1. Procedures to verify the legal basis of such requests;
2. Procedures for informing and involving the affected cloud service customers upon receipt of such requests;
3. The ability of the affected cloud service customers to object;
4. Whether the cloud service provider stores cloud service customer data or cloud service derived data in unencrypted form;
5. Whether the cloud service provider has the ability to decrypt cloud service customer data or cloud service derived data in case of such requests and how this ability for access or disclosure is used;
5. The number of investigation requests for cloud service customer data or cloud service derived data and the countries from which these requests originate; and
6. How often those requests resulted in the cloud service provider sharing cloud service customer data or cloud service derived data with the government agency.

The scope of the information corresponds to the needs of the subject matter experts of the cloud service customers who define specifications on information security, implement these or validate their implementation and assess the suitability of the cloud service from a legal and regulatory point of view (e.g. IT, compliance, internal audit).

Additional information on the technical procedures for data disclosure is to be communicated with cloud service customers according to INQ-04. In case the description of the cloud service provider's system of internal control addresses multiple cloud services, differences in technical procedures between each service are to be detailed within the provided information.

The legal foundation on which these governmental services are based (e.g. law enforcement agencies, intelligence services) may vary from country to country. In particular, the applicable jurisdiction at the locations where cloud service customer data and cloud service derived data is processed, stored and backed up must be considered.

In Germany, such powers are governed by the laws of the German Federal Criminal Police Office (or the laws of the respective state offices), various procedural codes for courts and the laws for intelligence services (BNDG, BVerfSchG, respective laws on the constitutional protection offices of the federal states, MADG) and the G10 Act.

Further regulation applicable within the EU are, e.g., the Budapest Convention on Cybercrime (ETS No. 185) as well as the EU directives 2023/1543 and 2023/1544 to establish a legal framework for obtaining and securing electronic evidence in criminal proceedings across EU Member States.

In other countries, other laws are relevant, and the cloud service customer may only occasionally be aware of them from the media, e.g. the CLOUD Act ('Clarifying Lawful Overseas Use of Data Act') from the United States of America or the Cyber Security Law of the People's Republic of China. In conjunction with the other information on the cloud service, the cloud service customer should be able to use this information to carry out a risk assessment assessing if and how these are relevant.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum