Introduction
This episode features another interview with an absolute expert. This time it’s Christian Müller, with whom I talk about the data protection aspects of introducing Microsoft 365, with a special focus on Volksbanken and Reifeisenbanken and DATEV tax consulting. But even if you are a normal company in quotes, this episode is definitely worthwhile, because you should always make sure that data protection does not become a crime on the other side, but that you also have the right guard rails left and right so that you can travel safely and quickly on the digital highway. I wish you lots of good ideas and lots of fun with this interview. Here’s another episode of Switch on the brain first, then the technology. And Switching on your brain first, then technology, naturally also includes the topic of data protection. And the diligent listeners of my formats know that I often refer to data protection officers as data protection officers in Germany, because I often notice that the crash barrier is not placed to the left and right of the road where it belongs, but across the road. And I have some good news. I’m the one with the three stripes on my shoulder.
One means yes, can read, two stripes can read and write, three stripes means he knows someone who can read and write. And I know someone who definitely has no tea before the topic of data protection, but a D, the dear Christian Müller, who is an absolute professional on the subject of data protection, but also has the huge advantage that he is also extremely well versed in IT, so he is not only someone who knows the legal part, but also the IT part and has a whole lot of experience in the banking sector, has years of experience as a consultant, as a consultant there – I have to say, decades of experience with both of us – we’ve both been young for a bit longer. With this in mind, welcome and thank you very much for taking the time, Christian.
Christian Müller
Yes, thank you very much, dear Thorsten. Thank you for the good moderation. Well, let’s hope that we can now find an interesting part for everyone involved and not just talk about the “security kills usability” procedure, which is often the case, but also reveal how it can really work and what makes sense.
Thorsten Jekel
Absolutely. That’s exactly the issue. We talked about it briefly beforehand, as I am also supporting Fox and Raiffeisen banks with the introduction of Microsoft 365, among other things. And in this context, there is always one major topic that is important there: DPIA. Why don’t you tell us what DSFA is, what it’s all about and what the right approach is?
Christian Müller
First of all, I can reassure you: DPIA is not a Polish word with four letters. In principle, it is a risk assessment. And when new technologies are introduced, what risks can a company face from a data protection perspective? Because data protection means that everything is prohibited unless it is permitted. And that’s why you also have to check when you introduce new technology, what risks do I have from the customer’s perspective? Because you can’t forget one thing: It is actually a fundamental right that we are talking about here, that the data of customers or employees or even suppliers is particularly worthy of protection, because I think everyone can imagine what happens when personal data disappears on the dark web, then you suddenly get new subscriptions or your bank account is empty. And I think these are the use cases where data protection makes sense, and one part is always the technology. And that’s why you start with a risk analysis with this data protection impact assessment.
Thorsten Jekel
And now I have another stupid question. Atruvia is the data center of the Volksbanken and Raiffeisenbanken and there are the Volksbanken and Raiffeisenbanken. And there is also Microsoft, if you take it again, where I have three partners and say: Who is ultimately responsible? As a bank, can I say: Yes, that’s the data center. In simple terms, I have nothing to do with that. Is the bank ultimately responsible? How should this issue of responsibility be seen, especially for the Volksbank and Reifeisenbank?
Christian Müller
So basically, no matter what type of contract I have or no matter with whom I make the contracts and no matter in which country, the responsibility for the data lies with the responsible body, which in this case is the Volksbank and Reifeisenbank.
Thorsten Jekel
This means that they have to deal with the issue. They can’t just say: Is the data center the Atruvia? No. In other words, as a Volksbank and Reifeisenbank, I definitely have to deal with this issue. In other words, from the perspective of the GDPR, not only from the perspective of the association audit and BAFiN, i.e. 44 audit, but also from the perspective of the GDPR.
Christian Müller
Yes, and then BAET has something else to present again. BAFiN also has a corresponding information sheet on the topic of cloud outsourcing. Now there is also the topic of Dora, which further intensifies the entire topic of cybersecurity, i.e. Dora as a further regulation in addition to the GDPR. Another topic that many people tend to overlook is NIS2 for critical infrastructures. And as we still don’t have enough regulation, the Cyber Risk Act will be added at the end of the year. Of course, all of this has to be ready by January 1 and will then be audited on January 2. That’s the plan.
Thorsten Jekel
Yes, wonderful. So that means I thought we’d have a chat about DSFA. I’ve heard Dora in the background before, but you’ve thrown a few other topics into the mix. Does it make sense for us to do an overview first or to start with the DSFA topic? What makes the most sense from your point of view?
Christian Müller
You, let’s start with the DPIA, because everything I’m talking about has to do with a risk-based approach. And here we’re talking about the most manageable risk and the most manageable instrument.
Thorsten Jekel
Yes, wonderful. Thank you very much. To be very specific: As part of the very professional project support that the Volksbanken and Raiffeisenbanken receive from Atruvia, there is a document and it says, in addition to various risks, I would like to go through one explicitly with you. I quote, it says that the risk is data processing in the USA and other third countries (telemetry data / Cloud Act / no adequate possibility to assert the rights concerned). And then there the severity of the possible damage is characterized as manageable. So it goes from minor, manageable, substantially large. And here, manageable was taken as the severity of the possible damage. In terms of probability of occurrence, a high probability of occurrence, i.e. the highest probability of occurrence in this grid, was specified in the assessment, resulting in a medium risk. What is your assessment of this assessment, which is practically a default value from the data center? Because I’ve been approached by some banks and they say: Mr. Jekel, how do you see it? And that’s why I said I’d ask someone who deals with this topic all day long, namely you, Christian.
Christian Müller
So I would have supported that one to one if we had discussed it nine months ago.
Thorsten Jekel
Yes, oho, now it’s getting exciting.
Christian Müller
But that is changing, because the USA, which by definition is regarded as evil by the legal profession, as evil in the sense that it does not have the same level of data protection as Germany, yes, or the European Union. And that is based on the FISA 701 Act on the one hand. So that means that the intelligence services are allowed to force companies like Microsoft to hand over data, yes, if the worst comes to the worst. So that’s one of the reasons why the USA doesn’t have the same level of data protection.
Thorsten Jekel
Is this the PADLET Act or is it something else?
Christian Müller
That’s different. It’s different. So FISA 701, as the name suggests, is FISA. This means that the FBI and the NSA can go to Microsoft with a court order and say: I’d like to have all of Thorsten Jekel’s data now. Because we are official…
Thorsten Jekel
Does it also include the subsidiaries in Europe? Because as far as I know, that was always the discussion: does it include subsidiaries or does it not include subsidiaries?
Christian Müller
And now we’re getting into the finer points, which is why I say nine months ago. So, of course, it was then also established that this is of course not the case. Microsoft, it has to be said, and Apple, too, are stubbornly refusing to provide such information in the first place and are in fact arguing that the data is located in a geo-zone in Germany, in Ireland, in Amsterdam or in Frankfurt, Western Europe, which is why you have no access to it. In theory, the American authorities argue and say: Well, you are the parent company and you can also exert pressure on the subsidiary. As you can see, there are a lot of subjunctives. But let’s not kid ourselves, if the FBI were to pull the trigger on Microsoft, I don’t know what would happen. That’s my crystal ball … Nonetheless, we have somehow identified the Cloud Act and the Private Act, which is supposed to protect data from such attacks on a piece of paper. Let’s face it, this is paperwork and paperwork is patient. In this respect, a different solution was sought and found.
Christian Müller
The other solution that has now been found is to actually say that America and the EU have bilaterally agreed that the regulations of the GDPR will actually be respected within Germany, including internationally. And bang, the USA is suddenly seen as good. They are now on the same level as everyone else, they are good and on the same level of data protection. In other words, they are now just a short way towards the USA, at least from a legal perspective, which is currently non-existent. So. Now let’s take a look at the technical perspective. There’s a lot of discussion here: What actually is telemetric data? When Christian Müller logs in to his Office 365 from the RWM Group, he usually logs in with his email address, a password and then the authenticator, because I’m all about two-factor authentication. My telemetry data is simply okay, the IP address from which I dial in, in Germany 192, whatever. The second telemetric data is my e-mail address. The second telemetric data is: Oh, we’ve found you in the Active Directory. You’re one of the good guys. You can access the RWM Group account and that’s the telemetric data.
Christian Müller
Other telemetric data is simply: Oh, I have a connection now. I have now sent an e-mail and the telemetric data is: Okay, an e-mail has been sent from the Tenant RWM Group, which is in Amsterdam, somewhere. Like this. That’s the telemetric data. So the risk is what could happen if I’m a very, very active hacker and I mean harm, I would get my e-mail address. And that’s the risk we’re discussing right now. That’s all it really is. Then I might also have telemetry data when I’m working in teams, like we are now in our interview, where we can see your picture, we can also send each other a bit of text, we talk to each other. Telemetric data is the metadata that is transmitted, along the lines of: there’s a video conference taking place, make sure the connection is there. These are the risks that come with telemetric data and without telemetric data I don’t have the Internet. That doesn’t work. I have to make a fundamental decision: do I want to have Internet, yes or no? Once this decision has been made, then I can say: Okay, what risk can I take? And if I say, this risk that the email might be intercepted, then that’s a risk I can take. Nevertheless, there are also other technical measures such as zero trust, two-factor authentication, a whole range of technologies where I can say that I can really minimize the risk to zero.
Christian Müller
Let me summarize. For me, this is a discussion by proxy. Anyone who believes that can take a look. There is a detailed DSFA from the Netherlands. It’s freely accessible, 150 pages, where MS Teams and Office 365 have been taken apart down to the last detail. And anyone who reads through it and then places such statements next to each other can make their own well-founded judgment.
Thorsten Jekel
Yes, that’s exciting. I’ll have to make another note here. So, Netherlands. At the moment, we have spoken in the first step, which was deliberately divided, about the topic of telemetry data. Then it goes on to say that data is processed in the USA and in other third countries. This is really no longer about telemetry data, but about data. Cloud Act, so it says in brackets, Cloud Act, associated data, disclosure to US authorities and no reasonable possibility of enforcing affected rights. It says: Substantial severity of the possible damage, a manageable probability of occurrence and also a medium risk. Does that coincide with your assessment or how do you see it?
Christian Müller
It’s a matter of how I parameterize it. So basically, if you are not one of the good countries, like the EU and now the USA, you are a third country. A third country is characterized by the fact that it does not have the same level of data protection as the protected countries, so to speak. This means that the legal framework is somehow incompatible, in the sense that authorities are allowed to access data. Or there is also something technically wrong. In other words, China has a different view of data protection. The maximization principle is more important there than the minimization principle.
Thorsten Jekel
Can you make sure that the data is not lost? That’s probably their understanding of data protection.
Christian Müller
You’ll be sure to find them again. That’s for sure. And then there are Articles 40, 41 and following in the GDPR. It’s about determining test steps. This means that if I, as the responsible body, i.e. I am now a bank and Thorsten Jekel has an account with me, I am now the responsible body that must first have Thorsten Jekel’s permission to store his data, which he usually gives me when opening an account and then Thorsten Jekel can just make transfers and get account statements and the like. And as a bank, I am now also responsible for the security of this data, i.e. not only the account statement data, but also your personal data name, first name, address, date of birth. Now it is quite possible for me to say, in a global IT network: I’ll have the payments calculated in India or in Bulgaria or wherever it’s more cost-effective, so that I can then do the billing and annual financial statements. Because then I’m in the predicament of processing in a third country. Before I process in a third country, I have to go through an audit in accordance with 40, 41 GDPR and this is a step-by-step audit.
And an audit is of course a formal framework: Are there appropriate contractual safeguards in place between the party processing the data abroad and the party that processes the data as the client? And then there are several checkpoints. This means that the contract has not been secured. Are there technical organizational measures, i.e. checks? Are there any letters of comfort or risk assumption declarations? That’s a whole bundle of criteria that is checked, and then you come to the conclusion that yes, you can process the data, and I have also secured it contractually. There are standard contractual clauses that you can’t change, you have to use them. And if you also use these, then you are formally legally clean for the first time, at least from a data protection perspective. So that’s the legal side. The technical side is … Of course, I can also encrypt data. So one of the strongest mechanisms I would rather advise against, but there is the fact that I say: Okay, I am now a bank, I now have data that is also located abroad, so to speak. I don’t just want to encrypt the e-mail traffic, I don’t just want to have board encryption, I also want to have encryption for the data that is decentralized on site in the data center.
I can encrypt them and then have a key so that I can decrypt them again. And I certainly have the option of managing this key myself. This means that at the moment, with the strong key mechanisms, the performance calculator needs around 4,000 years to decrypt this key mechanism.
Thorsten Jekel
You have to wait a little longer for that.
Christian Müller
Yes, it takes a little longer. So that’s the current state of affairs. I don’t know about quantum computing. That will probably be the case in ten years’ time. Then it will be a bit shorter. But as things stand in 2024, key management would be an absolutely secure thing. And even an FBI or an MSA would bite their teeth out, because the technology also applies to them, even if they have more pimples on their shoulders.
Thorsten Jekel
And if I now take another look at the DSFA for the specific case, as proposed by Atruvia, is it substantially comprehensible from your point of view? Would you also go along with this and say, okay, this is also a point where the Volksbank and Reifeisenbank can introduce Microsoft 365 there without hesitation, because the question is always: Is this now an issue in terms of data protection that flies in our face if I now have a 44 audit, if I have an association audit, if the data protection authorities then attack us? Of course, there are always legitimate fears, which I am always asked about.
Christian Müller
I’ll come back from the regulatory side and put data protection in position two and go to position one: essential outsourcing. In banking regulation, BAIT and VAIT, in insurance I have the topic of outsourcing essential services. Or essential IT services. That’s in the KWG, as defined in the VAG. You can find out what is essential there. Dora now comes along and says: “Oh, you also have to define important and critical. If I know what is material and important and what is critical, then I know that I have to deal with a business process or business transaction that is particularly worthy of protection and accordingly, of course, before I expose it and Office 365 is nothing more than an exposure, which is then additionally characterized as material and critical, so that now really comes into the light, so that I then of course also have to meet the regulatory requirements. This means that I always have to take care of the data protection impact assessment, I have to make sure that I have a security concept, I have to make sure that I have an operational management concept, that I also have a backup concept, business continuity management, all things that banks and insurance companies are very familiar with.
Christian Müller
But I have to make sure that I have it in the contract. Now the question is always: Who do I have the contract with? Do I have the contract directly with Microsoft or do I have the contract with a data center service provider, who is then again our contractual partner with Microsoft?
Thorsten Jekel
This is usually the case in the Volks- und Raiffeisenbank. This means that the Microsoft 365 service is obtained from Atruvia, the data center of the Volks- und Raiffeisenbanken. As a rule, this is how the group is organized. Exactly.
Christian Müller
Now you can think along the lines of: then I’ll buy directly from Microsoft. As a rule, Atruvia and other data centers that also provide these services for banks or state banks have even clearer, more dedicated bank-specific security mechanisms in their data centers. You would simply deprive yourself of this security package if you actually went to Microsoft. This is a matter for the technical architect and there really is a risk assessment from a technical point of view in the sense of: Where do I source these issues? Most of the Landesbanken that I know and that I have already advised in this area are also part of a data center network and precisely because of these specifics. In the case of insurance companies, they usually deal directly with Microsoft contracts, but that’s just a matter of how much risk I’m taking.
Thorsten Jekel
Exactly. So this is really about the focus tire bank doing this directly with Atruvia. So I would say that there are still a few specialized institutions in the cooperative financial group. But in principle, there were a few topics that were mentioned here again. If I take another look at the Atruvia project outline, it once again addresses the issue of compliance and data protection mitigation or mitigation, as you put it, of the risk of a GDPR breach. It says here that with contractual organizational technical precautions we reduce the minimum of a GDPR violation to a minimum. Here is the statement of Atruvia, the Court of Justice of the European Union, i.e. the ECJ, issued a ruling on July 16, 2020, according to which a GDPR-compliant use on the basis of underlying standard installation, for example, storage in the USA, is not given. This has just been listed here as a measure: Adaptation of standard installation to GDPR, for example with customer key, local data storage, extension of the contractual basis, implementation of organizational and technical measures by Microsoft Natruvia. And here again, testing and intention to test the measures of the on-site pilot project by Avado. These are the colleagues from the cooperative association, testing of the lake migration, coordination with ARCA data protection and ZAM-EG.
Thorsten Jekel
So these were the tips again. From your point of view, so conclusive that a Volksbank and Reifeisenbank can say: Okay, that’s safe for me, because that’s the question that the Chairman of the Management Board asks me to say: Tell me, what’s the situation?
Christian Müller
So there is no such thing as one hundred percent security, because I would say that criminal energy in the IT sector is a race. You may be ahead, but then the pursuer comes after you. So it’s a permanent, ongoing optimization. Now it has to be said that the Dora issue has added another direction, namely that I actually have to audit, so to speak, the Microsofts of this world. This means that I already have an obligation in terms of the third-party supplier audit to form my own opinion: What does it look like whether I’m bridging into Microsoft’s data center or the association’s data center? At some point, this question will also arise as to whether I do this to get a picture on site or by joining a pool where there are several companies and one of them visits Microsoft and then reports to everyone: Attention, everything is safe, or by saying: It is enough for me if I get the certificates from the companies, but I get a higher responsibility on the subject of third party risk. So this is new. It doesn’t yet exist in the banking sector, nor in the insurance sector. Integrating this is currently one of the most time-consuming issues.
Thorsten Jekel
As a bank, can I then say, to put it simply, in my understanding I have an ADV with my data center, can I then regulate to say that you are responsible for delegating this, or what is the current legal situation?
Christian Müller
That’s the exciting thing now. Now I have to distinguish which legal area. Let’s talk about Germany and the rest of the world and, secondly, the distinction between consumer and entrepreneur. I’m going to assume the strongest law I can. I assume German law, refer to the GDPR and am an end consumer. So, Thorsten, you are now my bank, my administration Reiffeisenbank, which buys the services in a data center. So, now I’m missing out on a big loss. Data has been hacked and I say: So, I would now like to receive compensation. Article 82 GDPR. Then you say: Of course wait, I have a contract with my data center. I say: You know what, Thorsten? I couldn’t care less. According to Article 32, I can choose who is the economically stronger party, because you don’t actually have a contract processing agreement, you have a joint controllership. That means I get to choose, just like with the GBR. With the GBR, I also have a choice when I grab a tie and at that moment I am the economically stronger one or the one I can grab better by the tie. Suing Microsoft in Redmond, American law, not a good idea, very expensive, but suing a Volks- und Raiffeisenbank, i.e. in Germany, that’s already manageable.
So exculpating yourself purely on the basis of the contract will not work because the mechanism for compensation in the GDPR is different. In Germany, European law normally stipulates that I am only entitled to compensation if I have suffered material legal damage. In the English-speaking world, it is perfectly sufficient for me to claim that I may have suffered damage. This is not the famous microwave cat example from McDonald’s in the USA. It goes in the same direction. The GDPR introduces an Anglo-Saxon legal framework and says that an allegation is sufficient. That means I don’t have to provide material proof of my damage. Fortunately, there is very, very little case law on this. But the damage alone, if you make a report, let’s say I had a loan with you, I paid it off and you neglected to report to Schufa for about six weeks that the loan was settled and I find out about it. And I say: Dear Thorsten, I’ve suffered so much damage. I’m so frustrated and, and, and. There is a first judgment about this, where damages of €4,000 were actually awarded.
And that’s just a Schufa report. Now I don’t want to know how many zeros they can attach to it, but very, very few jurisdictions in this regard and I assume that this will also be closed, because it can’t be a money machine, just to claim. That misses the point.
Thorsten Jekel
But the risk exists and otherwise it is also generally true that I cannot contractually moderate liability to the detriment of the end consumer.
Christian Müller
Then I can do that, but not with end consumers.
Thorsten Jekel
In other words, I can ultimately say that I am the one who is held liable, but I can then grab my subcontractor again and say: Okay, I’ll get the damage that was claimed against me from you. That would then be the two-stage process that would probably work.
Christian Müller
Absolutely. And I can only recommend this to every company. Please check what contracts I have with end consumers and in what liability scenario – yes, even more – am I there, both consumer and entrepreneur. And what kind of obligation have I assumed when purchasing services. The question alone: liability insurance. I experienced this in a bank that purchased services in the data center. The stand … would say: We are liable up to a maximum of 50,000 euros. Oh yes.
Thorsten Jekel
I don’t see that.
Christian Müller
Never mind the gradients. Then the CFO is a bit … Yes, he says: There are still a few zeros missing. I say: No, you bought that in. You put it out to tender worldwide, you bought it in. The price is hot and if now the case … We then had the case, late payment, and that resulted in a loss of two million. They were left sitting on the two million because they couldn’t pass it on. Simply because what I bought and what I passed on were simply not identical in terms of liability. These are points that you can …
Thorsten Jekel
So it’s also worth checking your insurance cover again. Another very important topic. Another topic that I found here on the slide in the Atruvia roadmap: Microsoft has been introducing the EU Data Boundary step by step since 01.01.2023. DSK has not yet approved this Microsoft roadmap. Can you say three more sentences about what that means?
Christian Müller
Yes, so far I can already choose as a customer where my data is processed. I can say that Mr. Möller has his data processed in Amsterdam and Frankfurt and at best in the EU, but Microsoft has not given its approval for India or the USA. So, that’s what I’ve done. Nevertheless, if my data is backed up at night, it may well end up in an American data center. Just for the backup purpose: I also prevent this with the regulation you just mentioned. In other words, I have a geographical responsibility where I can be sure that nothing comes out of this circle, to put it bluntly. And that is also the area in which the legal regulations apply. So this is a two-part protection, a technical protection and also a contractual protection. So in this respect, it is very much in line with the fact that we are saying: This permanent discussion in the USA about data is evil and that was also a slight reaction of the hyperscalers to what the American state has in mind. Long story short: simply a better position, a clarification. And then I’m curious to see what the DSK has to say about it, because the DSK is still on the trip that IP personal data is personal data.
Christian Müller
There are corresponding ULG rulings in Austria that this is not the case, but that would mean that- What does DSK stand for?
Thorsten Jekel
For those who are not so deep into the abbreviations?
Christian Müller
This is called the Data Protection Conference. This is the highest decision-making body for data protection in Germany and all the state data protection authorities. So authorities or heads of authorities regularly sit together in circles of chairs and decide which technology makes sense. Is it Microsoft bad or is it Microsoft good or may video recordings, employees make video recordings, yes or no. And that is the highest authority, the Data Protection Commission.
Thorsten Jekel
And is this, i.e. the status I have here, from 16.12.2022 from Microsoft? Is it still up to date, that this has not yet been definitively assessed or has only been introduced gradually? Or has it already been introduced and finally assessed? Or what is the current status?
Christian Müller
That’s the point, we’re still discussing it, because let’s keep it short. Let me give you another small example of how complex Microsoft Office actually is. Microsoft Office consists of 600 different programs. Very few people know that. I’ll just take MS Teams, it works like Zoom or others, where I have pictures, when do we talk to each other, then I can write a chat and then I can exchange documents, yes? Yes. Just to have the basic function. So, if I ask you now: Where is the data stored? Then you say: Yes, wait a minute, in Amsterdam, that’s how I wrote it. Then I say: Yes, that’s right. But where in this Microsoft universe is the data stored? Because when we chat with each other, the data is stored in the Exchange server under e-mail. If I exchange files there now, they may be stored in a blob memory. This is a separate database, even if I have access to it afterwards. At this point, the metadata is stored in a different location and what you need to know is that Teams is nothing more than a large browser that accesses a wide variety of services. Teams is not a separate program, but Teams uses Exchange, Teams uses OneDrive and similar things or SharePoint.
Christian Müller
It’s actually the team in SharePoint. And accordingly, I have the data in every possible nook and cranny. This means that I have now generated a gigabit of data from our short video conference alone, if we have the hour full. Most of it is image data, but we also have audio track data. I have this in six or seven different places and they may well be abroad. Then I have the whole salad and the fact that I have to check everything properly with a test or something similar explains to some extent why it takes a little longer to check it. That’s not because you don’t want to work or because you’re lazy, but it has something to do with the technical complexity. As I said, I can only refer you to the DSFA from the Netherlands. If you take a look, just look at the table of contents. You don’t have to read any further. You already know where the journey is going.
Thorsten Jekel
Yes, that will certainly still be exciting. And we’ve already mentioned the topic of Dora a few times. What else needs to be considered in the context of Dora when it comes to Microsoft 365?
Christian Müller
What’s new with Dora is the topic of Dora. Dora actually consists of eight subject areas, where I have to say, okay, there are actually two subject areas that are relevant to Office 365. One has to do with technical measures, because I also have to deal with the topic of encryption as part of Dora. Encryption is not just email encryption, but perhaps also data encryption, that I say, okay, the emails that are on the Exchange server in Amsterdam need to be encrypted, or data that is in cold storage, or maybe even in OneDrive, that I also need to encrypt. I have to deal with this issue. So encryption and Office 365 is a highly complex topic and I believe that the regulations are now motivating this to a certain extent so that this topic can also be massaged into the organization. Of course, this keeps a lot of technical architects and security personnel busy at the technical level. The second thing is at the contractual level. This means that I conclude a contract with Microsoft or a data center, and a cloud contract is roughly comparable to a rental agreement. Most people confuse this and say that the cloud is a contract for work and services or a service contract.
Christian Müller
No. In the literature, Professor Hören, to quote another one, or Professor Beutigam, who are actually the beacons in Germany on the subject of IT law and security, they say: As lawyers, we are not quite clear yet, but the tendency is for an Office 365 contract to be a rental contract. And tenancy law also has a few special features in the German Civil Code. And I should know that I should take these special features into account when checking the contract … Or it’s usually the case with banks that there are additional side letters, so you don’t take the standard contract from Microsoft, but have extended it and added special security aspects or similar things, so that you have to check these attachments accordingly. And then there’s the second thing: how do I check that I can comply with what’s in the contract? Keyword audit. An audit is an obligation that can occur and I do the audit myself and pay a penny for it. Excuse me for saying that. Or I say I join a pool with the GDV association. In the case of insurance companies, the GDV association is the contract holder and says: Okay, all insurers, if you put money on the table now and we collect together, then we’ll do the audit with Microsoft.
Christian Müller
And this then makes the results of the audit available to the participants. This means that Microsoft is not audited by 30, 40 or 40 insurers, but receives an audit from GDV. This is then valid for the banking association. I don’t know to what extent the private banks are there or what the situation is with the cooperative banks. I can’t say whether they are organized in a similar way, because that’s an issue that raises questions. So in this respect, the topic of auditing and testing will also be a very important topic with Dora with a focus on cyber security. And finally, for our bankers, many bankers are familiar with BAIT. In principle, Bait and Dora have the same goal, but they have a different focus and a different depth, i.e. a different breadth and a different depth.
Thorsten Jekel
What is BAIT then?
Christian Müller
This is actually also a kind of work instruction like VAIT. It is generated in eleven chapters and prescribes how a bank, like an insurer, has to organize its business operations from an IT perspective, the first chapter is IT strategy, the second is IT structure, the fourth chapter is testing, the eighth chapter is, I think, the topic of project management and application development, so basically the legal definition of how a clean, regular IT operation has to run.
Thorsten Jekel
Wonderful. I’m glad that I know people like you who I can ask questions about such topics. Now I’m going to go into another cooperative world, that of the DATEV tax consultants, who are also introducing Microsoft 365. Here, too, there are different, of course always the statement to say: This is all the devil’s stuff. Here is another keyword: risks due to legal certainty. Schrems II is also included here as a keyword: criticism from the supervisory authorities, professional law 203 StGB Cloud Act. I’m assuming that these keywords all mean something to you, unlike me, and I’d be interested in your assessment of them.
Christian Müller
We have already discussed the topic of Schrems II. You can remember where I said that the USA is evil, FISA 701, and that’s where the issue of Schrems II came from and Schrems II was missing: USA is evil, you’re not allowed to do that anymore because Visa 701 could be. And that’s when the consumer advocate Mr. Schrems, a lawyer from Austria, took legal action. And that then led to the Cloud Act. No, that wasn’t quite right either. The Privacy Act wasn’t quite right either. Now they have the idea that the USA is good and technically they are following up with the issue of data, i.e. data fencing within Europe. We also had this topic earlier. That is the topic of Schrems II.
So, then 203 Penal Code is one thing, that’s actually technology diagnostics. That’s perfectly okay with Office 365. I also use it, even though it’s subject to 203 of the German Criminal Code, so it’s inferior in that respect, and I also have particularly high standards as far as that’s concerned. If I have my own technical and organizational measures under control, i.e. if I say: Look, you can find my password on my Facebook page, or Fri-Factor authentication is for cowards, so if I have my own landscape under control to some extent, then it has relatively little to do with Office 365.
Christian Müller
I can take Office 365 out of the box and parameterize nothing and do nothing. Then I have a higher risk if I say I include two-factor authentication. I buy Defender one, Defender two, to intercept phishing emails or viruses. But that’s the responsibility of the person with professional secrecy, and that’s what the 203 provides. Then you mentioned a third point, that was the 203, the Schrems, and what was the second point?
Thorsten Jekel
Cloud Act was the last keyword to be added.
Christian Müller
That actually fits in with what I said at the beginning with the Schrems two. In this respect, yes, I would say that banks and insurance companies have a higher risk office 365 as a result of regulation.
Thorsten Jekel
They are more heavily regulated than tax consultancy.
Christian Müller
Exactly, that’s how it is.
Thorsten Jekel
Exactly. Just because I have the chance to have you at the start, of course, I opened my PowerPoint presentation from DATEV again, because I now also provide support in many tax consultancies on the subject of the introduction of Microsoft 365, as a supplement to DATEV. DATEV is the data center of many tax firms. In other words, if I now summarize again, if I understand it correctly, it is on the condition that I really, I say, approach the topic of data protection, the topic of regulation in a really clean, structured way, that I set up the processes cleanly, I say, on the one hand, and that I also document them cleanly on the other hand, so that they also stand up to audits, provided that I have my contractual agreements with my clients, that I have my contractual agreements with my subcontractors, especially in the data center, clean, provided that I also have the issue of insurance cover clean, that the sums there are also, I say, equivalent to the risks I have there, from your point of view, a Microsoft 365 deployment, both in a Vox-Reif iron bank and in a tax consultancy, is just feasible with an acceptable risk, if I understand that correctly.
Christian Müller
Here I am Where can I sign? Right or left? I’ll even go one better, because the question is: What is the alternative? The alternative is that I operate a data center myself or I always have a server landscape. What is known as on-prem. And I would now like to see a data center that has the same security standard as a Microsoft data center. I’ll put a crate of good drink of your choice here, it won’t work at this point. Just a small example. Socksenters, these are services that really defend against attacks. Microsoft currently fends off 500,000 attacks every day. You can imagine the organization and technology behind it to ensure that nothing happens there. Do you have the same level of technology in your server landscape? Do you have the same level of qualification as the administrator who can oversee all of this? I’ll put a question mark behind that.
Thorsten Jekel
So I’m glad that you say that, because I’ve often said, when it’s always cloud means cloud, because they steal data, I always say: Yes, what’s the alternative? And I don’t know how the issue of access and access control, let’s say, is regulated for your server in the basement. So when I remember one or two presentations on this topic afterwards, I thought it was a very good starting presentation by Götz Schadner, who you also know, to say: Do you trust your cleaning lady? I also thought it was a good start to this discussion to say: Okay, who has physical access to such server systems? And how confident am I of the integrity of these people and the non-comprisability of these people? So against this background, every person who has a family is compressible. That’s why this is always an issue where I say: What is the alternative that you always have to consider? So thank you once again for not only considering this with my solid half-knowledge, but also with your expertise. And if I now take another look, perhaps to come to a conclusion, there really is a lot of need for regulation in this whole area, also on the other side of things, where I don’t think you have to reinvent the wheel again, but where you also have best practices and formulations from your experience that work.
Thorsten Jekel
How can you support a Volksbank and Reifeisenbank on these issues, for example?
Christian Müller
I’ll tell you what I’ve made of the story and leave it to the imagination of those who are part of it. Perhaps a little bit about the roles. I’ve been working as a traditional management consultant for almost 30 years, learning the tools of the trade at Accenture, Pricewaterhouse and Capgemini, where I also worked as a partner and was responsible for the automotive practice across Europe. Then I worked at Oracle and Xerox, so I also worked at the technology provider in the same position, which means that they also like to sell strategic solutions in data centers. So in this respect, you can get an interesting insight into what it looks like on the other side. And apart from that, as an external data protection officer, data protection auditor, also an accredited special auditor, I am very much involved in regulatory matters and have also implemented many, many major projects in my professional career, implemented Office 365 and SAP from the ground up, so I know how to implement and operate this stuff both from the role as a line manager at the customer and as a consultant, as well as from the data protection role, as well as from the regulatory role, as well as from the technical role and I also know how to implement and operate this stuff. I already have a very well-rounded view and I’m always a friend of this, we need viable solutions.
Christian Müller
So academic, brilliant, there is also that. It doesn’t always help to go into action.
Thorsten Jekel
Well put diplomatically.
Christian Müller
We can do the discipline, but I don’t think you’ll be happy with it. And I have to say, I’m now at an age where I say: no, I don’t want to use this discipline anymore, because you always see each other two to five times in your life.
Thorsten Jekel
Yes, that’s understandable. I was just on the other call today, where I said that since we’ve all been young for a bit longer and the five of us have a few years under our belts, it’s like saying that twice in a lifetime is a long time ago. So we’ve seen most of them several times in our lives. Yes, that’s right. And you can also be booked in person or digitally to set up such processes and provide advice. I will also add your links to the interview, your contact details, so that they are included again. So for the participants who are there. I don’t think I’ve promised too much, quite the opposite. I’ve really rediscovered one or two points in more depth and taken away some new aspects. That’s the idea. This format is also in this spirit, I say, thank you very much, dear Christian. As always, it was a pleasure to work with you, both on a personal and professional level, and both are important. Thank you very much and I wish you continued success.
Christian Müller
Thank you, dear Thorsten. Thank you for the invitation, for the trust and also many greetings to the rest of the world who were not on this call. Yes, I would be delighted to hear or read from you. Thank you, listen again.
Thorsten Jekel
Good luck.
Conclusion
I hope you found the interview as exciting as I did. I learned a lot from it. If you need support with the productive introduction of 365 in your company, in your bank, in your tax consultancy or in your company, then I would be delighted if you would contact me. I will be happy to advise you and also act as a trainer.
Yours, Thorsten Jekel.
Also available in: Deutsch