Though the official approval of the Code is pending, SCOPE Europe has already prepared its procedures to effectively monitor adherent Cloud services. In this context, CSPs are invited to sign up their services under the latest version of the Code, to publicly underpin their efforts to comply with GDPR requirements. The EU Cloud CoC can already apply the same principles and procedures now, pending the endorsement of the Code and its official approval by supervisory authorities.
CSPs adherent to provisional assessments have performed a declaration of adherence to the Code with regard to the declared Cloud Service and confirmed that the Cloud Service fully complies with the provisions set out in the Code. The competent Monitoring Body has verified that the Cloud Service complies with the Code through the exact same procedures as written down in the finalized Code and foreseen once the Code is approved by supervisory authorities.
The correspondent level of compliance to the Code was assessed against the finalized version of the Code, pending its official approval.
Levels of Compliance
The Cloud Service Provider has performed an internal audit and documented its implemented measures proving compliance with the requirements of the Code with regard to the declared Cloud Service and confirms that the Cloud Service fully complies with the requirements set out in this Code and further specified in the Controls Catalogue. The Monitoring Body verifies that the Cloud Service complies with the Code by information originating from the Cloud Service Provider.
Additional to the “First Level of Compliance”, compliance with the Code is partially supported by independent third-party certificates and audits, which the Cloud Service Provider has undergone with regard to the Cloud Service declared adherent and which were based upon internationally recognised standards procedures. Any such third-party certificates and audits that covered controls similar to this Code, but not less protective, are considered in the verification process of the Monitoring Body. Each third-party certificates and audits that were considered in the verification process by the Monitoring Body will be referred in the Monitoring Body’s report of verification, provided that the findings of such certificates were sufficiently and convincingly reported and documented towards the Monitoring Body and only to the extent such certificates and audits are in line with the Code. Cloud Service Providers must notify the Monitoring Body if there are any changes to the provided certificates or audits.
The Controls Catalogue may give guidance on third-party certificates and audits that are equivalent to certain Controls in terms providing evidence of complying with the Code.
However, to those Controls that the Cloud Service Provider has not provided any equivalent third-party certificate or audit, the Monitoring Body verifies that the Cloud Service complies with the Code by information originating from the Cloud Service Provider.
Identical to the “Second Level of Compliance” but compliance is fully supported by independent third-party certificates and audits, which the Cloud Service Provider has undergone with regard to the Cloud Service declared adherent and which were based upon internationally recognized standards.
Prior to the finalization of the Code, cloud service providers could sign up their services against the Code in its Directive 95/46/EC version. The purpose of this is to clearly differentiate assessments that are performed against the Directive 95/46/EC and future assessments against GDPR at a point in time when European Data Protection Board has approved the Code. Therefore Cloud Services that are compliant with the Code under Directive 95/46/EC are awarded the "Preliminary" Compliance Mark.
CSPs adherent to preliminary assessments have performed a self-assessment and self-declaration of adherence to the Code with regard to the declared Cloud Service and confirmed that the Cloud Service fully complies with the provisions set out in the Code. The competent Monitoring Body has verified that the Cloud Service complies with the Code through a plausibility check. Where the Code provides guidance, the Monitoring Body has taken such guidance into account; where no such guidance is provided, the Monitoring Body has referred to common interpretations of Directive 95/46/EC especially with regards to court decisions and publicly available documentation on decisions by Data Protection Authorities. Where no such final decision exists, the Monitoring Body has referred to the common interpretation of Directive 95/46/EC by academics, data protection and information security professionals.
This level of compliance to the Code was assessed under Directive 95/46/EC and is not a Code of Conduct pursuant Articles 40, 41 GDPR.
In the Public Register, there is a reference "Corresponds to Level in the updated Code". What does it mean?
The Code under GDPR sets out different levels of Compliance to provide transparency to the Customers on the Cloud Services. There are three levels of Compliance. The different levels of compliance relate only to the levels of evidence that are submitted to the Monitoring Body, there is however no difference in terms of which parts of the Code are covered since adherent Cloud Services have to comply with all provisions of the Code and their respective controls.
Assessments that took place against the Code version under Directive 95/46/EC were not performed against the Controls Catalogue. At the time of assessment the levels of compliance were not yet determined. "Corresponds to Level in the updated Code" is a mapping of the old procedure to the upcoming procedure under the GDPR version of the Code in order to enhance transparency.