Skip navigation

We've put together Frequently Asked Questions to give you more information about the EU Cloud CoC in general, it's membership, complaints and the Third Country Transfer Initiative.

General

The EU Cloud CoC concretizes requirements of Art. 28 GDPR – and all relevant related Articles of the GDPR – for practical implementation within the cloud market. The Code only applies to “business-to-business” (B2B) cloud services where the CSP is acting as a processor. It therefore does not apply to “business-to-consumer” (B2C) services or for any processing activities for which the CSP may act as a data controller.

The Code is a voluntary instrument in accordance with Article 40 GDPR. In particular, this Code is an element pursuant to Article 28.5 GDPR whereby a CSP demonstrates sufficient guarantees by implementing appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR (including when engaging sub-processors). The purpose is to make it easier and more transparent for Customers to analyse whether Cloud Services are appropriate for their use case.

Learn more about the Code benefits of joining the Code.
Please, get here the current version of the Code.

The development of the EU Cloud CoC started under Directive 95/46/EC. Back then, the European Commission was involved during the drafting process already. During the drafting period, the EU Cloud CoC was twice shared with the Working Party 29. The feedback received by the Working Party 29 was incorporated in the previous version of the Code, under Directive 95/46 which was published in May 2017.

The current version of the EU Cloud CoC has been revised and rewritten to be aligned with the European General Data Protection Regulation.

Please, get here the current version of the Code.

On May 20th 2021, the EU Cloud CoC has received its official approval by the Belgian Data Protection Authority, following the  positive opinion issued by the European Data Protection Board.

Please, check out the press release addressing the approval of the EU Cloud Code of Conduct.

Once a Code of Conduct is approved, it may be used as e.g. a factor to demonstrate sufficient guarantees under Art. 28.1-4 GDPR. Adherence to a Code of Conduct needs also to be considered if and to the extent administrative fines will be determined. A Code of Conduct can further be used as a risk mitigator in a Data Protection Impact Assessment (DPIA).

Please, read about Codes of Conduct under GDPR.

Principally, a Cloud Service Provider’s Membership and a Cloud Service’s adherence to the Code must not be confused. Only Cloud Services can be declared adherent to and verified compliant with the Code.

Please, find a list of adherent services at the Public Register.

Once a Cloud Service has been verified compliant by the Monitoring Body, it will be listed in the Public Register.

Please, refer to our Public Register to find the most recent overview on adherent Cloud Services.

The Monitoring Body verifies compliance by an initial assessment, annual recurring assessments and ad-hoc assessments, whenever the Monitoring Body considers those reasonable.

Please, read more.

First, we highly appreciate your interest in the EU Cloud CoC. Codes of Conduct are subject to constant evaluation and updates. Please, feel free to reach out to the Code’s secretariat identifying the relevant section as precise as possible alongside a short rationale of your suggestion. The secretariat will be happy to either help clarifying by further explaining the Code’s language. If and to the extent necessary, it will also note your remark and forward it to the General Assembly for further consideration.

Membership

You may join the General Assembly by filling in the Online Application Form. Once you have applied, there is a vetting progress to check the legal status and veracity of the application by the Code’s Secretariat.

Please, note: There are two Membership options: 
General Assembly Member (for CSPs) and General Assembly Supporter (for non-CSPs).

By joining the General Assembly, you publicly underpin the efforts to meet the requirements of the GDPR, increasing Customers’ confidence and trust when choosing Cloud Services. Moreover, there are substantial legal benefits you, as a CSP, can rely on, once being adherent to an approved Code of Conduct. For example, adherence to a Code of Conduct must be (positively) taken into account in the determination of administrative fines. A Code of Conduct covering relevant aspects due to Article 28 GDPR, such as the EU Cloud CoC, can be presented to the Customers in accordance with Article 28.5 GDPR as sufficient guarantee. By that, you can massively reduce your resources spent related to the onboarding of new Customers. Being governed by SCOPE Europe as an independent Code Monitoring Body, establishing a robust and trustworthy oversight mechanism, positively contributes to abovementioned factor, as well as the Code’s extensive collection of good practices within its controls catalogue.

Depending on the applicable Membership option, there are different requirements.

An overall requirement is to support the EU Cloud CoC. That includes being named as Member on the EU Cloud CoC website and publicly communicating your support of and Membership to the EU Cloud CoC.

To join as General Assembly Member, you must be a Cloud Service Provider. Any natural or legal entity that is not a Cloud Service Provider may join as a General Assembly Supporter.

General Assembly Membership is open to any Cloud Service Provider. There are three sub-options of becoming a General Assembly Member:

  • Full-Membership including voting rights
  • Membership for Medium Sized Enterprises excluding voting rights
  • Membership for Small Sized Enterprises excluding voting rights

It is not required to be compliant with the Code the moment you join as a Member, already. However, it is expected that each Cloud Service Provider explores declaring adherent at least one of its Cloud Services within due time once the Code is being approved.

Yes, you can join as a Supporter. General Assembly Supporters must not be Cloud Service Providers but any natural or legal entity that strives to support the aims of the EU Cloud CoC, such as for example associations, authorities, law firms, NGOs, think tanks, etc. 

As a supporter, the fee depends on the size of your company. The pricing is 1,500 EUR for small-sized, 3,000 EUR for mid-sized and 5,000 EUR for all other companies.

In general, every Cloud Service provider may choose to become a Full-Member no matter of its size. The Membership fee depends on the option you choose whereas there are three different Membership options, depending on your interest. Being a SME, you can choose between the Full-Membership with voting rights and two other options specifically addressing needs of mid-sized or small-sized Enterprises, i.e. a significantly adjusted and reduced pricing scheme. Membership options for Small and Medium Sized Enterprises (SME) are only applicable for those Cloud Service Providers that fulfil the  European definition of a Small or Medium Sized Enterprise.

The Membership fee depends on the option you choose whereas there are three different Membership options, depending on your interest. Being a SME, you can choose between the Full-Membership with voting rights and two other options specifically addressing needs of mid-sized or small-sized enterprises, i.e. a significantly adjusted and reduced pricing scheme.

Please, read more about the pricing.

No, as SME you can to opt-in for full Membership, providing you with voting rights, subject to according fees at any time.

Please, note: If and to the extent it appears economically more reasonable, the EU Cloud CoC provides dedicated Membership options for SME, subject to an adjusted and significantly reduced pricing scheme. 

Yes, once you opt-in for the full Membership option, you receive full voting rights, also enabling you to actively participate in the Code’s development. Please, read more about the EU Cloud CoC Membership options and relating pricing schemes.

Regardless of any voting rights, the Code’s Secretariat respectively General Assembly is happy to receive any comments and suggestions to further enhance the EU Cloud CoC.

The EU Cloud CoC addresses Cloud Services / Cloud Service Families. Hence, you will not have to comply as a Cloud Service Provider as such. By that the EU Cloud CoC allows for adequate flexibility and tailors for practical needs, especially to the extent Cloud Service Providers may (intentionally) provide Cloud Service offerings not subject to GDPR at all. Notwithstanding, those services declared adherent to the EU Cloud CoC must fully comply with its provisions.

Please read more at Do I have to comply with the EU Cloud CoC as Cloud Service Provider as such?

Yes, the minimum Membership period is 24 months.

 

The Membership of the EU Cloud CoC is voluntary. Provided the minimum Membership period of 24 months is being met, you may terminate subject to prior notification of 18 months.

Your Supporter status is automatically renewed for another year unless terminate three months prior to the end of your Supporter Membership term.

First, you need to qualify as CSP, i.e. you are offering Cloud Services as a processor. Second, it is expected to support the principles of and EU Cloud CoC as such. However, it is not required to be compliant with the Code the moment you join as a Member, already. It is rather expected that each Cloud Service Provider explores declaring adherent at least one of its Cloud Services within due time once the Code is being approved. 

It is not required to declare any of your Cloud Service(s) adherent the very moment you are joining the General Assembly. However, you are expected to declare at least one Cloud Service adherent in due time, once the Code is officially approved. 

Before declaring your Cloud Service(s) adherent, you should adequately prepare your Cloud Service to be compliant with the requirements of the Code. Such due time is also being provided if you are a General Assembly Member, already. Once a Cloud Service is being declared adherent, there is no grace period anymore. The Cloud Service will have to be compliant with all requirements of the Code; otherwise the Code’s Monitoring Body will reject a positive verification. 

Each Cloud Service declared adherent must comply with all requirements of the Code from the first day onwards. It will be assessed by the Code’s Monitoring Body annually once it has positively passed the verification process. Cloud Service Providers must notify any adjustments and updates to its adherent Cloud Services, to the extent such may affect a Cloud Service’s compliance. Cloud Service Providers may also terminate their Cloud Service’s listing in the Public Register.

Please, refer to the Declaration of Adherence and incorporated agreement and procedures for further details.

Once a Cloud Service is being declared adherent, adherence may be terminated subject to prior notification of 18 months, provided that the Cloud Service will be adherent for 24 months at a minimum.

The Pricing depends on the Membership option chosen. Annual fees range from 1,500.00 EUR to 15,000.00 EUR.

Please, refer to our price list.

The EU Cloud CoC provides different levels of compliance and a respective translation of its provisions into precise controls – which is being provided to the Cloud Service Provider in the form of a Controls Catalogue. It is worth noting that every part of the Code is equally binding to any CSP that declares adherence to the Code: a CSP is either compliant or it is not. 

To prove compliance, CSP must complete the online declaration of adherence and successfully pass the Monitoring Bodies assessment. Please, refer to our page on the Assessment Procedure for further details.

The EU Cloud CoC has a dedicated and independent Monitoring Body. Any Cloud Service Provider declaring a Cloud Service adherent to the EU Cloud CoC must prove its compliance to the satisfaction of the Monitoring Body.

Cloud Service Providers may only market their adherence to the EU Cloud CoC after having received the official approval by the Monitoring Body. Such Cloud Service Providers will then be listed in the Public Register of Adherent Cloud Services.

In general, a Cloud Service verified compliant must – at all times – comply with all Controls of the Code, regardless of the level chosen. The different levels of compliance are only related on the level of substantiation mandatorily being provided to the Monitoring Body, as the Code does support different methods of checking conformity.

Complaints

Yes, if a Cloud Service does not comply with the requirements, you can file a complaint. 

To file a complaint, please, use our online complaint form.

First, make sure you are eligible to file a complaint. Then, please, complete our online complaint form. Second, please, make sure that your complaint contains sufficient information to identify a potentially infringing behaviour of an adherent Cloud Service.

A CSP, a Customer or any other party, such as data subjects, regardless whether such party is a Customer or not of the respective Cloud Service, are eligible to file a complaint.

Provided your complaint is neither excessive nor abusive, you can file a complaint free of costs. 

Yes, there is the possibility to file complaints anonymously. In case you chose to complain anonymously, please, make sure that the information provided is as complete as possible, as the Monitoring Body cannot come back for clarifications or additional information in the event of an anonymous complaint.

For the avoidance of doubt: to file a complaint anonymously means without providing contact information or a name. Notwithstanding and in accordance with applicable law, the Monitoring Body may be required to cooperate with third parties e.g. subject to court orders. Please note, that there is always a risk that based on accumulated information you may still be identified by other means than name or contact details.

To ensure the handling of complaints about infringements of the Code, an ongoing cooperation of the complainant is needed during an appropriate period of time (beginning with the receipt of the request). It is relevant that the complainant is available for the secretariat for further inquiries and to provide all information. The regular period to answer is two weeks. If the complainant does not meet its obligation to cooperate within the appropriate period, the complaint may be dismissed.

For further details, please, refer to the Complaint Procedure.

Complaints are limited in scope to the provisions of the Code. First, complaints have to relate to adherent Cloud Services as being listed in the Public Register. Second, the complaint is limited to Code infringements , i.e. a Cloud Service is not compliant with the requirements as defined by the Code.

If and to the extent your complaint does neither refer to an adherent Cloud Service nor to a requirement of the Code, your complaint will be dismissed.

Third Country Transfer Initiative

No, the Third Country Transfers Module Initiative is currently creating a dedicated safeguard for the third country data transfers as an on-top Module to the EU Cloud CoC. Therefore, the EU Cloud CoC is an approved and operational tool that enables Cloud Service Providers to demonstrate compliance solely regarding Article 28 GDPR and all its related articles.

Once the Third Country Module is finalized and if approved by the Supervisory Authorities, it will consist of an a on-top structure which adherent services to the EU Cloud CoC can opt to be verified against.

The EU Cloud CoC General Assembly is currently developing an on-top Module to the EU Cloud CoC which seeks to create a dedicated safeguard for third country data transfers pursuant to Article 46 GDPR. This additional tool that is being developed is called the Third Country Transfers Module and its first draft has been published and is open for public consultation.

The Third Country Transfers Module will only effectively become a third country transfer safeguard once it receives the positive opinion of the EDPB, the approval of the lead Supervisory Authority and when the European Commission grants its General Validity pursuant Article 40 GDPR.

No, the Third Country Transfers Module is currently in its development phase and, therefore, is not yet completed. As the EU Cloud CoC General Assembly continuously works on the development of the Module, a first draft has been published alongside an open consultation. The main goal of the publication of the draft version as well as of promoting a public consultation is to enable the cloud and privacy communities to contribute to the Module and ultimately develop an effective and comprehensive solution for all stakeholders involved.

The Third Country Transfers Module is being developed by the EU Cloud CoC General Assembly. Therefore, all voting General Assembly members of the EU Cloud CoC can join the working group responsible for the drafting of the initiative.

For those who are interested in applying for EU Cloud CoC Membership, please refer to our Online Application Form.

The Third Transfers Country Module is an on-top Module of the EU Cloud CoC and, therefore, shall be also monitored by SCOPE Europe.

In this context it is crucial to note that the accreditation of a monitoring body under the GDPR must be connected to a specific code of conduct. Despite of being an on-top structure of the EU Cloud CoC, the Third Country Transfers Module has a different scope than the EU Cloud CoC itself. Against this background, SCOPE Europe must undergo a specific and separate accreditation process to be able to oversee compliance with the Third Country Transfers Module.

The Third Country Transfers Module is an on-top module of the EU Cloud CoC. Consequently, the participation in the development of the Module is currently included in the Membership fee of the EU Cloud CoC. From the moment the Third Country Transfers Module becomes operational, a dedicated pricing scheme relating to the verification of compliance shall be released. 

No. While the Initiative certainly aims to tackle the Schrems II ruling and recognizes that Schrems II originated from a case involving the US, it's important to note that the repercussions and effects of this ruling extend beyond the boundaries of the US. Consequently, the Third Country Transfer Module intends to cover any third country transfers irrespective the applicable third country, i.e. the Module applies globally. 

Yes, the Third Country Module is being developed in order to create a safeguard to be applied globally.

The Third Country Transfers Module applies the definition of transfer established by the EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.