Skip navigation

EU Cloud CoC - Designed to become a sufficient guarantee pursuant Art. 28.5 GDPR

Cloud computing provides significant benefits to both public and private sector customers in terms of cost, flexibility, efficiency, security and scalability. In order to secure the trust of cloud customers in Cloud Service Provider (CSPs), the EU Cloud Code of Conduct aims to help Cloud Providers on their path to GDPR compliance.

As representatives of European and multinational companies and organizations with significant involvement in cloud computing, we have developed a set of requirements that enable CSPs to demonstrate their capability to comply with GDPR – the Code provides cloud specific approaches and recommendations, including a road map, which tracks Code requirements to GDPR and to international standards such as ISO 27001 and 27018.

The EU Cloud Code of Conduct consists of  requirements for CSPs that wish to adhere to the Code, plus a governance section that is designed to support the effective and transparent implementation, management, and evolution of the Code. The Code is a voluntary instrument, allowing a CSP to evaluate and demonstrate its adherence to the Code’s requirements, either through self-evaluation and self-declaration of compliance and / or through third-party certification. The Code has been developed to cover GDPR requirements and, following the positive opinion issued by the EDPB, has been offically approved by the Belgian Data Protection Authority in May 2021.

The intention of the EU Cloud Code of Conduct is to make it easier for cloud customers (particularly small and medium enterprises and public entities) to determine whether certain cloud services are appropriate for their designated purpose. In addition, the transparency created by the Code will contribute to an environment of trust and create a high default level of data protection in the European cloud computing market.

The EU Cloud Code of Conduct - in a nutshell

  • Covers the full spectrum of cloud services: software (SaaS) and platform (PaaS) as well as infrastructure (IaaS).
  • Has an independent governance structure to deal with compliance as well as an independent monitoring body, SCOPE Europe, which scrutinizes cloud services which sign up to the Code and monitors services that are certified in the Code – a requirement of GDPR.
  • Invites Cloud Service Providers of all sizes and from all cloud sectors to join: there are different membership options, depending on CSP’s interests. Once a member, CSP’s can declare Cloud Services adherent to the Code, committing to rigorous data protection safeguards.
  • Is the only Code drafted together with authorities of the European Union: the Code was developed by the Cloud Select Industry Group (Data Protection Code of Conduct Subgroup) convened by the European Commission under the auspices of DG Connect and with the involvement and advice of DG Justice. Development of the Code was further informed by input from the Article 29 Working Party.

EU Cloud CoC - Building an entire ecosystem

The Code has been designed to define general requirements for the engagement of Cloud Service Providers (CSP) as processor under GDPR. Whilst the latest version of the Code has received official approval by the Belgian Data Protection Authority pursuant Article 40 GDPR and represents the core of a constantly growing and evolving ecosystem within the cloud and privacy communities.

As cloud computing is becoming business standard, CSPs but especially Cloud Customers are facing a steadily increasing amount of requirements. Ensuring compliance with contractual, European and international regulatory obligations easily reaches a significant level of complexity.

The EU Cloud CoC is willing to address the needs of such a changing environment. Where necessary, the Code shall be complemented by dedicated modules either extending or further detailing its requirements. By that, the Code will facilitate the engangement of CSPs in various contexts, such as health, finance, banking, and public services. 

Following Schrems II (C-311/18), the General Assembly decided to first focus on a dedicated module upgrading the Code to a safeguard to transfer personal data to third countries, Article 46 GDPR. Learn more about this initiative by reading our press release.

Frequently Asked Questions

The EU Cloud CoC concretizes requirements of Art. 28 GDPR – and all relevant related Articles of the GDPR – for practical implementation within the cloud market. The Code only applies to “business-to-business” (B2B) cloud services where the CSP is acting as a processor. It therefore does not apply to “business-to-consumer” (B2C) services or for any processing activities for which the CSP may act as a data controller.

The Code is a voluntary instrument in accordance with Article 40 GDPR. In particular, this Code is an element pursuant to Article 28.5 GDPR whereby a CSP demonstrates sufficient guarantees by implementing appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR (including when engaging sub-processors). The purpose is to make it easier and more transparent for Customers to analyse whether Cloud Services are appropriate for their use case.

Learn more about the Code benefits of joining the Code.
Please, get here the current version of the Code.

The development of the EU Cloud CoC started under Directive 95/46/EC. Back then, the European Commission was involved during the drafting process already. During the drafting period, the EU Cloud CoC was twice shared with the Working Party 29. The feedback received by the Working Party 29 was incorporated in the previous version of the Code, under Directive 95/46 which was published in May 2017.

The current version of the EU Cloud CoC has been revised and rewritten to be aligned with the European General Data Protection Regulation.

Please, get here the current version of the Code.

On May 20th 2021, the EU Cloud CoC has received its official approval by the Belgian Data Protection Authority, following the  positive opinion issued by the European Data Protection Board.

Please, check out the press release addressing the approval of the EU Cloud Code of Conduct.

Once a Code of Conduct is approved, it may be used as e.g. a factor to demonstrate sufficient guarantees under Art. 28.1-4 GDPR. Adherence to a Code of Conduct needs also to be considered if and to the extent administrative fines will be determined. A Code of Conduct can further be used as a risk mitigator in a Data Protection Impact Assessment (DPIA).

Please, read about Codes of Conduct under GDPR.

Principally, a Cloud Service Provider’s Membership and a Cloud Service’s adherence to the Code must not be confused. Only Cloud Services can be declared adherent to and verified compliant with the Code.

Please, find a list of adherent services at the Public Register.

Once a Cloud Service has been verified compliant by the Monitoring Body, it will be listed in the Public Register.

Please, refer to our Public Register to find the most recent overview on adherent Cloud Services.

The Monitoring Body verifies compliance by an initial assessment, annual recurring assessments and ad-hoc assessments, whenever the Monitoring Body considers those reasonable.

Please, read more.

First, we highly appreciate your interest in the EU Cloud CoC. Codes of Conduct are subject to constant evaluation and updates. Please, feel free to reach out to the Code’s secretariat identifying the relevant section as precise as possible alongside a short rationale of your suggestion. The secretariat will be happy to either help clarifying by further explaining the Code’s language. If and to the extent necessary, it will also note your remark and forward it to the General Assembly for further consideration.