transparency report
How we protect your data from unauthorized requests

The digital space contains huge amounts of data that authorities want to use for investigations. To do so, they submit corresponding access requests to online service providers. However, these are often inadmissible because the legal basis is wrong. With the transparency report, we disclose how many and which data requests we receive from domestic and foreign authorities, how we handle them, when we have to release data, and how often this was actually the case. This provides even more transparency and shows that data is particularly secure at luckycloud.

Presentation of Trusted Elements such as the TUEV Sued seal and the Alliance for Cyber Security.
Close-up of white, closed closing doors.

The transparency reports von luckycloud at a glance

The following requests have been registered and processed by luckycloud in recent years:

Two colleagues in a bright, plant-covered office are working on a presentation on the PC.

What data
does luckycloud collect?

Our mission is to. and to provide online services that deliver what they promise. For maximum data protection, we work according to the Zero Knowledge principle. Our processes are designed in such a way that we do not collect any information about our customers apart from their e-mail address. Only in the case of support do we receive data on a voluntary basis that goes beyond a pure e-mail address. Of course, luckycloud also protects data from external, unauthorized access.

Close-up of several stacks of files on a shelf.

The procedure for incoming authority requests to hand over data

When we receive requests for information on inventory data from authorities, we check them very carefully in line with our internal processes. We only provide information about inventory data if the formal requirements of the Telecommunications Telemedia Data Protection Act (TTDSG) pursuant to Section 22 (2) and the right to information pursuant to Section 22 (3) or Section 22 (4) TTDSG are met.

The requirements according to § 22 para. 2 - 4 TTDSG include in particular

  • Specification of a valid and applicable legal basis,
  • correct form of the information request,
  • competent authority,
  • initial suspicion of a criminal offense and
  • Necessity of the information for legally defined purposes.

luckycloud will only release the further processing of a request for information if a responsible specialist has positively determined compliance with the formal requirements specified in Section 22 (2) TTDSG in the first step (Section 22 (6) p. 2 and 3 TTDSG).

We only comply with official requests for information on inventory data if the legally prescribed requirements are documented - and, of course, only to the extent required by law.

Frequently frequently asked questions

Most of the verified official requests are not legally compliant and therefore inadmissible. In these cases, we naturally do not release any data and file a complaint with the requesting authority, rejecting the request.

Providers must release inventory data for legally permissible requests. Inventory data is personal data whose processing is required for the purpose of establishing, structuring the content of, or amending a contractual relationship between the telemedia provider and the user:in regarding the use of telemedia (Section 2 No. 2 TTDSG). This includes the name and address of the customer, the account details and the type of service. However, we have not yet identified any lawful request and accordingly have never released any data.

No, that is not legally permissible. According to Section 22 (5) sentence 3 TTDSG, obligated parties must maintain confidentiality vis-à-vis the data subjects as well as third parties about the request for information and the provision of information.

As a cloud provider, luckycloud is not affected by data retention. In addition, data of e-mail traffic is explicitly excluded from data retention (§ 176 para. 5 TKG), so that we, as an e-mail provider, also do not have to comply with the corresponding regulations on data retention in principle.

Incidentally, the European Court of Justice (ECJ) ruled on 05 April 2022 with regard to a case from Ireland (Judgment of 05.04.2022, Case C-140/20) confirmed its established case law according to which general data retention without any reason violates EU law and is therefore inadmissible. It can be assumed that the German regulation (§ 176 TKG) will also be ruled to be contrary to EU law in the near future.