EDPB approves first EU GDPR Code of Conduct for Cloud Service Providers

EU

Following the submission by the Belgian Data Protection Authority, on May 19 the European Data Protection Board (EDPB) approved the EU Cloud Code of Conduct with subsequent final approval by the Belgian Data Protection Authority. The Code is now the first endorsed pan-European code of conduct for cloud service providers (CSP) addressing obligations for all cloud offerings under Article 40 of the GDPR.

Applicability of the Code

The Code is applicable to all cloud service provision models, IaaS, PaaS, and SaaS. With this general approach, the Code is suitable for companies providing different types of cloud offerings.

The Code applies to the B2B context of cloud services where the CSP acts as a processor under Article 28 of the GDPR but does not apply to B2C services or any processing activities for which the CSP may act as a data controller. The Code can still be relevant for customers of cloud services since they will receive an additional guarantee of compliance when entrusting adherent CSPs.

The Code facilitates GDPR compliance

The Code consists of a set of requirements that CSPs must implement to comply with the Code. These requirements are supported by a Controls Catalogue, which helps to assess compliance, maps the required auditable elements ( called “controls”), and provides a list of the requirements of the Code together with corresponding provisions of the GDPR and relevant international standards.

The Code does not replace the contract between a CSP and the customer, and CSPs must ensure that the terms of its Cloud Services Agreement complies with the Code. The Code contains a set of data protection rules specifically tailored to cloud computing services, such as:

  • Lawfulness of processing: adherence to the data controller’s instructions and establishment of a documented procedures to comply with duties and internal communication mechanisms;
  • Subprocessing: rules on engaging a new subprocessor including documented procedures for implementing the flow of the same data protection obligations and appropriate technical and organisational measures down the processing chain;
  • International transfer of customer personal data: ensuring CSPs will adequately communicate transfers to customers, but this Code does not reflect the Code of Conduct as per Article 46 GDPR on third-country transfers.
  • Right to audit: implementing appropriate and accessible mechanisms for providing evidence of compliance to customers with established confidentiality obligations;
  • Liability: stating that customers have a right to pursue the liability regime of the Cloud Services Agreement and of Chapter VIII (remedies and liability) of the GDPR;
  • Customer cooperation: in exercising their rights;
  • Assistance for personal data breaches: this assistance includes establishing reporting procedures, specifying data breach notification obligations, and ensuring that the customer can retrieve personal data promptly and without hindrance in a common structured format.

Demonstrate different levels of compliance

The Code offers a scaled system with three different Levels of Compliance provided. Companies in each level must comply with all provisions of the Code. The different levels are based on the evidence of compliance submitted to the Monitoring body and each Level of Compliance incorporates the previous levels. The levels include:

  • First Level of Compliance: performance of an internal review and documentation of implemented measures to comply with Code requirements.
  • Second Level of Compliance: First Level of Compliance with partially supporting independent third-party certificates and audits with specific relevance to the cloud service that is declared adherent. The ‘Controls Catalogue’ section gives guidance on third-party certificates and audits offering equivalent level of compliance (e.g. ISO, SOC 2 and C5:2016 standards).
  • Third Level of Compliance: compared to the Second Level of Compliance, this level of compliance is fully supported by independent third-party certificates and audits conducted with specific relevance to the cloud service that is declared adherent.

Monitoring of adherence

The Code owner is Scope Europe, a non-profit association established in Belgium. SCOPE Europe is the accredited Monitoring Body that will verify compliance with the Code. Verification occurs through an initial assessment, recurring assessments at least every 12 month and ad hoc assessments when the Monitoring Body considers it is timely and appropriate.

Governance and organisational framework

The governance framework of the Code includes a General Assembly, Steering Board, Code Supporters and Secretariat. The organisations represented by the Code constitute the General Assembly of the Code. Members of the General Assembly are therefore the founding members (i.e. Alibaba Cloud, Fabasoft, IBM, Oracle, Salesforce, and SAP), and all other members whose application to join was approved. Code Supporters (e.g. user organisations, consumer protection bodies, industry associations, government bodies or agencies, supervisory authorities, academia, or consultancy organisations) do not have voting rights in the General Assembly.

Becoming adherent to the Code

To demonstrate adherence, a company must be member of the General Assembly. Upon becoming a member, companies are not expected to be immediately compliant with the Code, but they should demonstrate and declare their adherence in a reasonable amount of time. Members must sign a Declaration of Adherence Agreement and pay a one-time adherence fee. The membership pricing includes plans for a full-membership with voting rights, and two plans for mid-sized and small-sized companies without voting rights.

Benefits of adherence to Code

Currently, there are a handful of adherent companies (e.g. Google Cloud, Microsoft, IBM, or SAP). However, since in itself the Code establishes an approved best practice for the application of data protection rules in the cloud computing environment, it is likely that in the near future it will gain more importance and will become a standard that cloud service customers will demand.

Cloud service providers and companies utilising cloud services can benefit from adherence in multiple ways:

  • Credibility: joining the Code General Assembly shows robust commitment to data protection and compliance.
  • Trust: adherence to a self-regulation tool accompanied with regular and independent monitoring fosters trust of customers in companies and their services.
  • Transparency: the Code requires high-level of transparency and outlines the requirements on what information needs to be provided to customers. These information requirements go beyond what is required by the GDPR.
  • Accountability: the CSP can demonstrate adherence to the Code according to data processor compliance requirements as set out down in Article 28 of the GDPR.

You can request a free version of the Code here. The full list of adherent cloud service providers is available here.

For more information on this Code and how it can affect your business, contact your CMS client partner or CMS experts.

Article co-authored Anna Horváth.