What is the status of foreign cloud apps in German universities?

It not surprising that there is little good information on this issue available.

As has already been written, this is all about the European data protection directive GDPR ("DSGVO" in German). It contains a number of measures that should enable users to protect their personal data.

The law defines some guidelines that include the right of users to only have their necessary data processed. As a relatively trivial example, it would be problematic to require students to submit their date of birth with their exercise sheet solutions. The law also defines minimum requirements for offloading data processing tasks to subcontractors and the right of all users whose data is being processed to demand to know what data of them is stored. Also, data needs to be protected according to the state of the art. In case of violations, fines can be issued by federal(?) authorities.

Now while these rules seem useful, they are highly problematic when requiring students to use certain services: There is normally no contract between the university and doodle.com about data protection in place, so asking the students to use doodle.com is probably problematic....but I'm not aware of any court ruling on this. Then, the Safe Harbor agreement between the EU and the US is not currently seen as sufficient to guarantee that the European rules are met. Oh, and is data protected according to the state of the art? That's pretty hard to tell.

All in all, the situation is complex enough such that universities try to insource as much as possible, at least to DFN level (German research network - essentially the network service provider of the universities). However, when other options proved to be infeasible, some universities decided to use Zoom and the like anyway, which bears a certain risk. The Microsoft Cloud may be unproblematic, depending on what level of data protection Microsoft guarantees.

In a less-than-100% legally clear situation when there is a lot at stake (Corona led to a need for teleconferencing/lectures), some may decide to take some risks when the alternatives do not seem to work. And this leads to a very fragmented landscape.

I am not aware of any official guideline to avoid using foreign cloud applications at German universities. However, I only know what is correct for my university. The federal system in Germany makes it unlikely that any such general guideline will exist.

What is true however is that most universities offer a lot of locally maintained services as alternatives to external solutions. There may be a file hosting system, a git server etc. in fact making the external stuff obsolete. But you are still allowed to use them most of the time. At my university, the service description often reads like: "...is meant as an alternative to XYZ" (with XYZ as some external cloud service), but the use of other services is explicitly not excluded. However, university staff automatically has access to the local tools and they can usually be used when cooperating with external people, so I see a widespread use of the local tools.

The external services often are of foreign origin. And yes, this is not totally irrelevant. "Data sovereignty" is the term used at my university. Local support is another aspect quite helpful when problems arise.

It's mostly about DSGVO (the Datenschutz-Grundverordnung). I don't know too much about it, but, if I understood correctly, it forbids that university staff stores data which affects their students on any service that is not under control of the university. As a consequence, many universities host their own services or buy services with special conditions such that they are "DSGVO konform". My university, for example, hosts a cloud storage and groupware and we are encouraged to use DFN services.