The EU Cloud Code of Conduct (abbr. "''EU Cloud CoC''" also known by its extended title "''EU Data Protection Code of Conduct for Cloud Service Providers''") is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation ( GDPR). The code defines clear requirements for cloud service providers (CSPs) to implement Article 28 GDPR and all its related articles, which covers the processing activities of every type of personal data. Encompassing all cloud service layers (

XaaS As a service (AAS) is a business model in which something is being presented to a customer, either internal or external, as a service. As-a-Service offerings provide endpoints for customers/consumers to interface with which are usually API An ...

, which is including

IaaS The first major provider of infrastructure as a service (IaaS) was Amazon in 2008. IaaS is a cloud computing service model by means of which computing resources are supplied by a cloud services provider. The IaaS vendor provides the storage, net ...

, PaaS,

SaaS Software as a service (SaaS ) is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as "on-demand software" and Web-based/Web-hosted software. SaaS is cons ...

), the code allows cloud service providers to demonstrate GDPR compliance in their role as processors, which is overseen by an accredited monitoring body, as required by Article 41 GDPR.

History

The work on the code started in 2012 when former vice president of the

European Commission The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...

Neelie Kroes Neelie Kroes (; born 19 July 1941) is a retired Dutch politician of the People's Party for Freedom and Democracy (VVD) and businessperson who served as European Commissioner from 22 November 2004 to 1 November 2014. Kroes studied Economics at t ...

, launched the European Cloud Strategy. In that context, a dedicated working group was created with the task to draft a cloud code of conduct under the Data Protection Directive. One of the primary goals of drafting such code was to increase trust and amplify the adoption of cloud computing across the

European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...

. The first draft produced by the working group was submitted to its first assessment in January 2015, which was then performed by the Article 29 Working Party. With the introduction of the GDPR, the code had to be adapted accordingly and by 2017, the

fully handed over the project to the industry. Still in 2017, six companies coming from that working group ( Alibaba Cloud,

Fabasoft Fabasoft AG is a software manufacturer headquartered in Linz, Upper Austria. The company was established in 1988 by Helmut Fallmann and Leopold Bauernfeind. The name ''Fabasoft'' is an acronym of Fallmann Bauernfeind Software. Corporate data ...

, IBM,

Oracle An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination. Description The word '' ...

, Salesforce and

SAP Sap is a fluid transported in xylem cells (vessel elements or tracheids) or phloem sieve tube elements of a plant. These cells transport water and nutrients throughout the plant. Sap is distinct from latex, resin, or cell sap; it is a separa ...

) founded the EU Cloud CoC General Assembly and assigned SCOPE Europe as its monitoring body and secretariat. After several exchanges with supervisory authorities and related revisions, the final version of the EU Cloud CoC was submitted to the Belgian Data Protection Authority for approval in 2019. According to the timestamps of the code versions published on the initiative's website, the code evolved further after submission and until its approval in May 2021. Such continued development of codes of conduct is expected, following the European Data Protection Board's Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679. The code has been approved by the Belgian Data Protection Authority as of May 20, 2021, following a positive opinion issued by the European Data Protection Board.

Scope and structure of the code

The EU Cloud CoC allows CSPs to prove and demonstrate compliance within the scope of Article 28 GDPR and all its related Articles. Therefore, the EU Cloud CoC comprehends CSPs data protection obligations when processing any kind of personal data and its requirements are applicable to all cloud offerings (

, PaaS,

), which is also known as

. There are five sections that together compose the core structure of the code, namely, Scope, Data Protection, Security Requirements, Monitoring and Compliance and Internal Governance."EU Data Protection Code of Conduct for Cloud Service Providers - Version 10"
''EU Cloud Code of Conduct'', October 2020, Retrieved 20-08-2021. Besides the main text, the code is accompanied by a controls catalogue, which was designed to map the code’s requirements to auditable elements, the “Controls”, and to all corresponding GDPR provisions. Additionally, the controls catalogue also provides a mapping to relevant international standards (such as

ISO 27001 ISO is the most common abbreviation for the International Organization for Standardization. ISO or Iso may also refer to: Business and finance * Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007 * Iso ...

, ISO 27017, SOC 2 and BSI C5).

Organizational structure

The organizational structure of the EU Cloud CoC is covered under its Internal Governance Section, which describes the rules and procedures applied for the code’s management. The referred Section lays out the organizational framework of the code itself, as well as of its bodies, namely, the General Assembly, the Steering Board, and the Secretariat.

Dedicated monitoring body

The GDPR requires an independent monitoring body to guarantee the appropriate implementation of its provisions. In May 2021, SCOPE Europe has been officially accredited by the Belgian Data Protection Authority as the dedicated monitoring body of the EU Cloud CoC. According to GDPR, the monitoring body shall be responsible for performing an ongoing due diligence. Under the EU Cloud CoC, besides being subjected to an initial assessment to become adherent to the code, CSPs are reevaluated on an annual basis. Additional assessments can also be triggered by justified complaints, media reports, new legislations, publications and Guidelines from Data Protection Authorities and any other relevant development that can potentially affect adherence to the code. A CSP can opt for three Levels of Compliance once declaring adherence to the EU Cloud CoC. Those levels relate solely to the type of evidence that is subjected to the review of the monitoring body. Nevertheless, each of those levels demands compliance to all the code’s requirements.

Membership and supporters

Membership to the code is open to any CSP as long as they agree with the approach and principles established in the code. In that regard, the EU Cloud CoC offers two main membership options, the first being dedicated to CSPs and the second covering any entity that is not a CSP and wishes to join the initiative as supporter. Within the CSP membership umbrella, a tailored pricing scheme is in place, which takes into consideration the needs of different company sizes allowing for accessibility for

Small and Medium Enterprises Small and medium-sized enterprises (SMEs) or small and medium-sized businesses (SMBs) are businesses whose personnel and revenue numbers fall below certain limits. The abbreviation "SME" is used by international organizations such as the World Bank ...

(SMEs). Today, the EU Cloud CoC General Assembly represents a significant share of the European cloud industry market and, as of August 2021, its membership encompasses Alibaba Cloud, Alight, Arcules,

Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...

, Dropbox, Epignosis,

Google Cloud Google Cloud Platform offers numerous integrated cloud-computing services, including compute, network, and storage. Products Past and present products under the Google Cloud platform include: Current * Google Cloud Datastore, a NoSQL databa ...

, IBM,

K&L Gates K&L Gates LLP is an American multinational corporation law firm based in the United States, with international offices in Asia, Australia, Europe, the Middle East, and South America. Its namesake firms are Kirkpatrick & Lockhart, a Pittsburgh-ba ...

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

Okta In meteorology, an okta is a unit of measurement used to describe the amount of cloud cover at any given location such as a weather station. Sky conditions are estimated in terms of how many eighths of the sky are covered in cloud, ranging from ...

, Qompium (Extra Horizon), Salesforce,

, Schellman, SecureAppbox, Timelex,

TrustArc TrustArc (formerly TRUSTe) is a privacy compliance technology company based in San Francisco, California. The company provides software and services to help corporations update their privacy management processes so they comply with government laws a ...

and Workday.

The third country transfer initiative

Following the CJEU’s Schrems II ruling, the EU Cloud CoC General Assembly started to work on an effective and yet accessible safeguard for third country transfers in the format of an on-top module to the code. The so-called Third Country Transfer Module shall cover the legal requirements for third country transfers as outlined in Chapter V GDPR and, as any on-top module is not a standalone initiative which implies that prior compliance with EU Cloud CoC is a pre-requisite.

References

{{Authority control Year of birth missing (living people) European Union laws European Union Privacy Data protection authorities Data protection Privacy law European Union regulations European Union consumer protection law