Federal Office for Information Security (BSI)

C5 and Data Protection

Target groups

"C5 and Data Protection" is intended primarily for professional cloud service providers with customers that process personal data in the cloud. Cloud service provider operate then as data processors and have to comply in a verifiable way with data protection legislation (BDSG and in the future BDSG n.F. and EU GDPR).

Role: Cloud Providers (primary), Cloud Users (secondary)
Target group: Management (primary), Professionals (secondary)


Cloud services often process personal data and operate as data processors. Therefore, these cloud services need to comply with data protection regulations. Data protection und information security have different targets but in the same time they overlap widely. The technical and organisational measures (TOM) of data protection and the measures for information security target at data security to ensure confidentiality, integrity and availability. C5 defines security requirements that can be also relevant for data protection.


A major aspect of the expired program "Trusted Cloud" of BMWi was data protection. It was a goal to build a solid base for a data protection certification especially for cloud services according to BDSG. In a unique constellation research, data protection authorities, cloud service provider and cloud service user worked together to achieve a common solution. So TCDP, the Trusted Cloud Data Protection Profile (www.tcdp.de/index.php/english) was developed, that is now managed by Stiftung Datenschutz (https://stiftungdatenschutz.org). At the moment TCDP is based on German Bundesdatenschutzgesetz (BDSG) but there are plans to adapt it to EU GDPR.

Especially the technical and organisational measures (TOM) of TCDP show a large concordance between TCDP and C5. The mapping of TCDP to C5 shows that C5 covers many requirements of TCDP. An audit on C5 can therefore be efficiently expanded to an audit according to TCDP. Hence, all legal aspects of data protection aren’t addressed by C5. TCDP and C5 complement each other and enable cloud service provider to certify not only information security but also data protection. TCDP is not the only data protection certification but for the others, no mappings to C5 are yet available.