Are services listed in the Public Register assessed against GDPR or Directive 95/46/EC?
Cloud Services listed in the Public Register at this time have been assessed against the Code in its Directive 95/46/EC version. The purpose of this is to clearly differentiate assessments that are performed against the Directive 95/46/EC and future assessments against GDPR at a point in time when European Data Protection Board has approved the Code. Therefore Cloud Services that are compliant with the Code under Directive 95/46/EC are awarded the "Preliminary" Compliance Mark.
Read more about the Preliminary Compliance Mark and what it entails below.
In the Public Register, there is a reference "Corresponds to Level in the updated Code". What does it mean?
The Code under GDPR sets out different levels of Compliance to provide transparency to the Customers on the Cloud Services. There are three levels of Compliance. The different levels of compliance relate only to the levels of evidence that are submitted to the Monitoring Body, there is however no difference in terms of which parts of the Code are covered since adherent Cloud Services have to comply with all provisions of the Code and their respective controls.
Assessments that took place against the Code version under Directive 95/46/EC were not performed against the Controls Catalogue. At the time of assessment the levels of compliance were not yet determined. "Corresponds to Level in the updated Code" is a mapping of the old procedure to the upcoming procedure under the GDPR version of the Code in order to enhance transparency.
Preliminary is for Members that declared adherence to the previous version of the Code under Directive 95/46/EC before 25 May 2018. The Member has performed a self-assessment and self-declaration of adherence to the Code with regard to the declared Cloud Service and confirms that the Cloud Service fully complies with the provisions set out in the Code. The Competent Monitoring Body has verified that the Cloud Service complies with the Code through a plausibility check.
Where the Code provides guidance, the Monitoring Body has taken such guidance into account; where no such guidance is provided, the Monitoring Body has referred to common interpretations of Directive 95/46/EC especially with regards to court decisions and publicly available documentation on decisions by Data Protection Authorities. Where no such final decision exists the Monitoring Body has referred to the common interpretation of Directive 95/46/EC by academics, data protection and information security professionals.
This level of compliance to the Code was assessed under Directive 95/46/EC and is not a Code of Conduct pursuant Articles 40, 41 GDPR.