We've put together Frequently Asked Questions to give you more information about the EU Cloud CoC in general, it's membership, complaints and the Third Country Transfer Initiative.
General
The EU Cloud CoC concretizes requirements of Art. 28 GDPR – and all relevant related Articles of the GDPR – for practical implementation within the cloud market. The Code only applies to “business-to-business” (B2B) cloud services where the CSP is acting as a processor. It therefore does not apply to “business-to-consumer” (B2C) services or for any processing activities for which the CSP may act as a data controller.
The Code is a voluntary instrument in accordance with Article 40 GDPR. In particular, this Code is an element pursuant to Article 28.5 GDPR whereby a CSP demonstrates sufficient guarantees by implementing appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR (including when engaging sub-processors). The purpose is to make it easier and more transparent for Customers to analyse whether Cloud Services are appropriate for their use case.
Learn more about the Code benefits of joining the Code.
Please, get here the current version of the Code.
The development of the EU Cloud CoC started under Directive 95/46/EC. Back then, the European Commission was involved during the drafting process already. During the drafting period, the EU Cloud CoC was twice shared with the Working Party 29. The feedback received by the Working Party 29 was incorporated in the previous version of the Code, under Directive 95/46 which was published in May 2017.
The current version of the EU Cloud CoC has been revised and rewritten to be aligned with the European General Data Protection Regulation.
Please, get here the current version of the Code.
On May 20th 2021, the EU Cloud CoC has received its official approval by the Belgian Data Protection Authority, following the positive opinion issued by the European Data Protection Board.
Please, check out the press release addressing the approval of the EU Cloud Code of Conduct.
Once a Code of Conduct is approved, it may be used as e.g. a factor to demonstrate sufficient guarantees under Art. 28.1-4 GDPR. Adherence to a Code of Conduct needs also to be considered if and to the extent administrative fines will be determined. A Code of Conduct can further be used as a risk mitigator in a Data Protection Impact Assessment (DPIA).
Please, read about Codes of Conduct under GDPR.
Principally, a Cloud Service Provider’s Membership and a Cloud Service’s adherence to the Code must not be confused. Only Cloud Services can be declared adherent to and verified compliant with the Code.
Please, find a list of adherent services at the Public Register.
Once a Cloud Service has been verified compliant by the Monitoring Body, it will be listed in the Public Register.
Please, refer to our Public Register to find the most recent overview on adherent Cloud Services.
The Monitoring Body verifies compliance by an initial assessment, annual recurring assessments and ad-hoc assessments, whenever the Monitoring Body considers those reasonable.
Please, read more.
First, we highly appreciate your interest in the EU Cloud CoC. Codes of Conduct are subject to constant evaluation and updates. Please, feel free to reach out to the Code’s secretariat identifying the relevant section as precise as possible alongside a short rationale of your suggestion. The secretariat will be happy to either help clarifying by further explaining the Code’s language. If and to the extent necessary, it will also note your remark and forward it to the General Assembly for further consideration.
Membership
You may join the General Assembly by filling in the Online Application Form. Once you have applied, there is a vetting progress to check the legal status and veracity of the application by the Code’s Secretariat.
Please, note: There are two Membership options:
General Assembly Member (for CSPs) and General Assembly Supporter (for non-CSPs).
By joining the General Assembly, you publicly underpin the efforts to meet the requirements of the GDPR, increasing Customers’ confidence and trust when choosing Cloud Services. Moreover, there are substantial legal benefits you, as a CSP, can rely on, once being adherent to an approved Code of Conduct. For example, adherence to a Code of Conduct must be (positively) taken into account in the determination of administrative fines. A Code of Conduct covering relevant aspects due to Article 28 GDPR, such as the EU Cloud CoC, can be presented to the Customers in accordance with Article 28.5 GDPR as sufficient guarantee. By that, you can massively reduce your resources spent related to the onboarding of new Customers. Being governed by SCOPE Europe as an independent Code Monitoring Body, establishing a robust and trustworthy oversight mechanism, positively contributes to abovementioned factor, as well as the Code’s extensive collection of good practices within its controls catalogue.
Depending on the applicable Membership option, there are different requirements.
An overall requirement is to support the EU Cloud CoC. That includes being named as Member on the EU Cloud CoC website and publicly communicating your support of and Membership to the EU Cloud CoC.
To join as General Assembly Member, you must be a Cloud Service Provider. Any natural or legal entity that is not a Cloud Service Provider may join as a General Assembly Supporter.
General Assembly Membership is open to any Cloud Service Provider. There are three sub-options of becoming a General Assembly Member:
- Full-Membership including voting rights
- Membership for Medium Sized Enterprises excluding voting rights
- Membership for Small Sized Enterprises excluding voting rights
It is not required to be compliant with the Code the moment you join as a Member, already. However, it is expected that each Cloud Service Provider explores declaring adherent at least one of its Cloud Services within due time once the Code is being approved.
Yes, you can join as a Supporter. General Assembly Supporters must not be Cloud Service Providers but any natural or legal entity that strives to support the aims of the EU Cloud CoC, such as for example associations, authorities, law firms, NGOs, think tanks, etc.
As a supporter, the fee depends on the size of your company. The pricing is 1,500 EUR for small-sized, 3,000 EUR for mid-sized and 5,000 EUR for all other companies.
In general, every Cloud Service provider may choose to become a Full-Member no matter of its size. The Membership fee depends on the option you choose whereas there are three different Membership options, depending on your interest. Being a SME, you can choose between the Full-Membership with voting rights and two other options specifically addressing needs of mid-sized or small-sized Enterprises, i.e. a significantly adjusted and reduced pricing scheme. Membership options for Small and Medium Sized Enterprises (SME) are only applicable for those Cloud Service Providers that fulfil the European definition of a Small or Medium Sized Enterprise.
The Membership fee depends on the option you choose whereas there are three different Membership options, depending on your interest. Being a SME, you can choose between the Full-Membership with voting rights and two other options specifically addressing needs of mid-sized or small-sized enterprises, i.e. a significantly adjusted and reduced pricing scheme.
Please, read more about the pricing.
No, as SME you can to opt-in for full Membership, providing you with voting rights, subject to according fees at any time.
Please, note: If and to the extent it appears economically more reasonable, the EU Cloud CoC provides dedicated Membership options for SME, subject to an adjusted and significantly reduced pricing scheme.
Yes, once you opt-in for the full Membership option, you receive full voting rights, also enabling you to actively participate in the Code’s development. Please, read more about the EU Cloud CoC Membership options and relating pricing schemes.
Regardless of any voting rights, the Code’s Secretariat respectively General Assembly is happy to receive any comments and suggestions to further enhance the EU Cloud CoC.
The EU Cloud CoC addresses Cloud Services / Cloud Service Families. Hence, you will not have to comply as a Cloud Service Provider as such. By that the EU Cloud CoC allows for adequate flexibility and tailors for practical needs, especially to the extent Cloud Service Providers may (intentionally) provide Cloud Service offerings not subject to GDPR at all. Notwithstanding, those services declared adherent to the EU Cloud CoC must fully comply with its provisions.
Please read more at Do I have to comply with the EU Cloud CoC as Cloud Service Provider as such?
Yes, the minimum Membership period is 24 months.
The Membership of the EU Cloud CoC is voluntary. Provided the minimum Membership period of 24 months is being met, you may terminate subject to prior notification of 18 months.
Your Supporter status is automatically renewed for another year unless terminate three months prior to the end of your Supporter Membership term.
First, you need to qualify as CSP, i.e. you are offering Cloud Services as a processor. Second, it is expected to support the principles of and EU Cloud CoC as such. However, it is not required to be compliant with the Code the moment you join as a Member, already. It is rather expected that each Cloud Service Provider explores declaring adherent at least one of its Cloud Services within due time once the Code is being approved.
It is not required to declare any of your Cloud Service(s) adherent the very moment you are joining the General Assembly. However, you are expected to declare at least one Cloud Service adherent in due time, once the Code is officially approved.
Before declaring your Cloud Service(s) adherent, you should adequately prepare your Cloud Service to be compliant with the requirements of the Code. Such due time is also being provided if you are a General Assembly Member, already. Once a Cloud Service is being declared adherent, there is no grace period anymore. The Cloud Service will have to be compliant with all requirements of the Code; otherwise the Code’s Monitoring Body will reject a positive verification.
Each Cloud Service declared adherent must comply with all requirements of the Code from the first day onwards. It will be assessed by the Code’s Monitoring Body annually once it has positively passed the verification process. Cloud Service Providers must notify any adjustments and updates to its adherent Cloud Services, to the extent such may affect a Cloud Service’s compliance. Cloud Service Providers may also terminate their Cloud Service’s listing in the Public Register.
Please, refer to the Declaration of Adherence and incorporated agreement and procedures for further details.
Once a Cloud Service is being declared adherent, adherence may be terminated subject to prior notification of 18 months, provided that the Cloud Service will be adherent for 24 months at a minimum.
The Pricing depends on the Membership option chosen. Annual fees range from 1,500.00 EUR to 15,000.00 EUR.
Please, refer to our price list.
The EU Cloud CoC provides different levels of compliance and a respective translation of its provisions into precise controls – which is being provided to the Cloud Service Provider in the form of a Controls Catalogue. It is worth noting that every part of the Code is equally binding to any CSP that declares adherence to the Code: a CSP is either compliant or it is not.
To prove compliance, CSP must complete the online declaration of adherence and successfully pass the Monitoring Bodies assessment. Please, refer to our page on the Assessment Procedure for further details.
The EU Cloud CoC has a dedicated and independent Monitoring Body. Any Cloud Service Provider declaring a Cloud Service adherent to the EU Cloud CoC must prove its compliance to the satisfaction of the Monitoring Body.
Cloud Service Providers may only market their adherence to the EU Cloud CoC after having received the official approval by the Monitoring Body. Such Cloud Service Providers will then be listed in the Public Register of Adherent Cloud Services.
In general, a Cloud Service verified compliant must – at all times – comply with all Controls of the Code, regardless of the level chosen. The different levels of compliance are only related on the level of substantiation mandatorily being provided to the Monitoring Body, as the Code does support different methods of checking conformity.
Complaints
Yes, if a Cloud Service does not comply with the requirements, you can file a complaint.
To file a complaint, please, use our online complaint form.
First, make sure you are eligible to file a complaint. Then, please, complete our online complaint form. Second, please, make sure that your complaint contains sufficient information to identify a potentially infringing behaviour of an adherent Cloud Service.
A CSP, a Customer or any other party, such as data subjects, regardless whether such party is a Customer or not of the respective Cloud Service, are eligible to file a complaint.
Provided your complaint is neither excessive nor abusive, you can file a complaint free of costs.
Yes, there is the possibility to file complaints anonymously. In case you chose to complain anonymously, please, make sure that the information provided is as complete as possible, as the Monitoring Body cannot come back for clarifications or additional information in the event of an anonymous complaint.
For the avoidance of doubt: to file a complaint anonymously means without providing contact information or a name. Notwithstanding and in accordance with applicable law, the Monitoring Body may be required to cooperate with third parties e.g. subject to court orders. Please note, that there is always a risk that based on accumulated information you may still be identified by other means than name or contact details.
To ensure the handling of complaints about infringements of the Code, an ongoing cooperation of the complainant is needed during an appropriate period of time (beginning with the receipt of the request). It is relevant that the complainant is available for the secretariat for further inquiries and to provide all information. The regular period to answer is two weeks. If the complainant does not meet its obligation to cooperate within the appropriate period, the complaint may be dismissed.
For further details, please, refer to the Complaint Procedure.
Complaints are limited in scope to the provisions of the Code. First, complaints have to relate to adherent Cloud Services as being listed in the Public Register. Second, the complaint is limited to Code infringements , i.e. a Cloud Service is not compliant with the requirements as defined by the Code.
If and to the extent your complaint does neither refer to an adherent Cloud Service nor to a requirement of the Code, your complaint will be dismissed.
Third Country Transfer Initiative
No, the Third Country Transfer Initiative is currently creating a dedicated safeguard for the third country data transfers as an on-top Module to the EU Cloud CoC.
Please, read more about the Third Country Transfer Initiative.
The Third Country Transfer Initiative is currently developing an on-top Module to the EU Cloud CoC creating a dedicated safeguard for the third country data transfers.
Please, read more about the Third Country Transfer Initiative.
No, it is not yet completed but work on the Module is underway.
Please, read more about the Initiative and its work on the Third Country Module. Stakeholders are explicitly invited to actively contribute to and partake in the Initiative.
Since it is an on-top Module of the EU Cloud CoC, every Member of the EU Cloud CoC can join the Initiative. You can use the Online Application Form.
The Third Country Module is an on-top Module of the EU Cloud CoC and therefore will also be monitored by SCOPE Europe.
The Third Country Module is an on-top module of the EU Cloud CoC. Consequently, the participation in the Module is included in the fees for the EU Cloud CoC now. That goes notwithstanding any additional fees relating to the verification of compliance once a Cloud Service will be declared adherent to this Module.
Though the Initiative surely intends to address the Schrems II ruling and acknowledging that the underlying case of Schrems II was related to the US, the consequences and impact of such ruling is not limited to the US. Consequently, the Third Country Transfer Module intends to cover any third country transfer irrespective the applicable third country, i.e. the Module applies globally.
This transfer Module will be created for global use.
Transfers considered under this Third Country Module are those subject to Chapter V GDPR.