The Code provides three different Levels of Compliance. The different levels of compliance relate only to the levels of evidence that are submitted to the Monitoring Body. There is however no difference in terms of which parts of the Code are covered since adherent Cloud Services have to comply with all provisions of the Code and their respective Controls.
The Monitoring Body shall not verify a Cloud Service’s compliance with the Code, as long as the Monitoring Body is not convincingly satisfied by the provided evidence demonstrating the Cloud Service’s compliance as subject to the applicable assessment procedure.
The CSP shall indicate the Level of Compliance it is seeking for when declaring its Cloud Service adherent. Any final decision, whether a CSP is meeting the requirements of a specific Level of Compliance is up to the sole discretion of the Monitoring Body.
Level 1
The Cloud Service Provider has performed an internal review and documented its implemented measures proving compliance with the requirements of the Code with regard to the declared Cloud Service and confirms that the Cloud Service fully complies with the requirements set out in this Code and further specified in the Controls Catalogue. The Monitoring Body verifies that the Cloud Service complies with the Code by information originating from the Cloud Service Provider.
Level 2
Additional to the “First Level of Compliance”, Compliance with the Code is partially supported by independent third-party certificates and audits, which the Cloud Service Provider has undergone with specific relevance to the Cloud Service declared adherent and which were based upon internationally recognised standards procedures. Any such third-party certificates and audits that covered controls similar to this Code, but not less protective, are considered in the verification process of the Monitoring Body. Each third-party certificates and audits that were considered in the verification process by the Monitoring Body shall be referred in the Monitoring Body’s report of verification, provided that the findings of such certificates were sufficiently and convincingly reported and documented towards the Monitoring Body and only to the extent such certificates and audits are in line with the Code. The Cloud Service Provider must notify the Monitoring Body if there are any changes to the provided certificates or audits.
The Controls Catalogue may give guidance on third-party certificates and audits that are equivalent to certain Controls in terms providing evidence of complying with the Code.
However, to those Controls that the Cloud Service Provider has not provided any equivalent third-party certificate or audit, the Monitoring Body verifies that the Cloud Service complies with the Code by information originating from the Cloud Service Provider.
The Monitoring Body may refuse application of Second Level of Compliance if third party certificates and audit reports, that are recognized by the Monitoring Body in the verification process concerned, are not covering an adequate share of Controls of this Code; such adequate share shall be subject to the discretion of the Monitoring Body, considering e.g. the share related to the overall amount of Controls of the Code or whether a full Section or topic is being covered.
Level 3
Identical to the “Second Level of Compliance” but Compliance is fully supported by independent third-party certificates and audits, which the Cloud Service Provider has undergone with regard to the Cloud Service declared adherent and which were based upon internationally recognized standards.
To the extent a Cloud Service Provider refers to individual reports, such as ISAE-3000 reports, the Cloud Service Provider shall ensure that such reports provide sufficient and assessable information and details on the actual measures implemented by the Cloud Service Provider regarding the Cloud Service concerned. The Monitoring Body shall, if considered necessary, in consultation with the Steering Board, define further requirements on such individual reports, such as accreditation and training for auditors against the provisions and requirements of this Code.
Prior mechanisms and compliance marks
To help you understand diverging, past terminology refer to the following explanations.
Prior to the official approval of the Code, which took place in May 2021, SCOPE Europe has already prepared its procedures to effectively monitor adherent Cloud services. In this context, CSPs are invited to sign up their services under the latest version of the Code, to publicly underpin their efforts to comply with GDPR requirements.
CSPs adherent to provisional assessments have performed a declaration of adherence to the Code with regard to the declared Cloud Service and confirmed that the Cloud Service fully complies with the provisions set out in the Code. The competent Monitoring Body has verified that the Cloud Service complies with the Code through the exact same procedures as written down in the finalized Code.
Compliance Marks
The correspondent level of compliance to the Code was assessed against the finalized version of the Code, pending its official approval.
Levels of Compliance
The Cloud Service Provider has performed an internal audit and documented its implemented measures proving compliance with the requirements of the Code with regard to the declared Cloud Service and confirms that the Cloud Service fully complies with the requirements set out in this Code and further specified in the Controls Catalogue. The Monitoring Body verifies that the Cloud Service complies with the Code by information originating from the Cloud Service Provider.
Additional to the “First Level of Compliance”, compliance with the Code is partially supported by independent third-party certificates and audits, which the Cloud Service Provider has undergone with regard to the Cloud Service declared adherent and which were based upon internationally recognised standards procedures. Any such third-party certificates and audits that covered controls similar to this Code, but not less protective, are considered in the verification process of the Monitoring Body. Each third-party certificates and audits that were considered in the verification process by the Monitoring Body will be referred in the Monitoring Body’s report of verification, provided that the findings of such certificates were sufficiently and convincingly reported and documented towards the Monitoring Body and only to the extent such certificates and audits are in line with the Code. Cloud Service Providers must notify the Monitoring Body if there are any changes to the provided certificates or audits.
The Controls Catalogue may give guidance on third-party certificates and audits that are equivalent to certain Controls in terms providing evidence of complying with the Code.
However, to those Controls that the Cloud Service Provider has not provided any equivalent third-party certificate or audit, the Monitoring Body verifies that the Cloud Service complies with the Code by information originating from the Cloud Service Provider.
Identical to the “Second Level of Compliance” but compliance is fully supported by independent third-party certificates and audits, which the Cloud Service Provider has undergone with regard to the Cloud Service declared adherent and which were based upon internationally recognized standards.
Prior to the finalization of the Code, cloud service providers could sign up their services against the Code in its Directive 95/46/EC version. The purpose of this is to clearly differentiate assessments that are performed against the Directive 95/46/EC and future assessments against GDPR at a point in time when European Data Protection Board has approved the Code. Therefore Cloud Services that are compliant with the Code under Directive 95/46/EC are awarded the "Preliminary" Compliance Mark.
CSPs adherent to preliminary assessments have performed a self-assessment and self-declaration of adherence to the Code with regard to the declared Cloud Service and confirmed that the Cloud Service fully complies with the provisions set out in the Code. The competent Monitoring Body has verified that the Cloud Service complies with the Code through a plausibility check. Where the Code provides guidance, the Monitoring Body has taken such guidance into account; where no such guidance is provided, the Monitoring Body has referred to common interpretations of Directive 95/46/EC especially with regards to court decisions and publicly available documentation on decisions by Data Protection Authorities. Where no such final decision exists, the Monitoring Body has referred to the common interpretation of Directive 95/46/EC by academics, data protection and information security professionals.
This level of compliance to the Code was assessed under Directive 95/46/EC and is not a Code of Conduct pursuant Articles 40, 41 GDPR.
Compliance Marks
In the Public Register, there is a reference "Corresponds to Level in the updated Code". What does it mean?
The Code under GDPR sets out different levels of Compliance to provide transparency to the Customers on the Cloud Services. There are three levels of Compliance. The different levels of compliance relate only to the levels of evidence that are submitted to the Monitoring Body, there is however no difference in terms of which parts of the Code are covered since adherent Cloud Services have to comply with all provisions of the Code and their respective controls.
Assessments that took place against the Code version under Directive 95/46/EC were not performed against the Controls Catalogue. At the time of assessment the levels of compliance were not yet determined. "Corresponds to Level in the updated Code" is a mapping of the old procedure to the upcoming procedure under the GDPR version of the Code in order to enhance transparency.