Whether you are a cloud service provider or a company that utilizes cloud services, you should be aware of the EU Cloud Code of Conduct (the “Cloud CoC”). The Cloud CoC was officially approved by the Belgian Data Protection Authority on May 20, 2021 and is the first transnational EU code of conduct to receive such approval since enactment of the EU General Data Protection Regulation (the “GDPR”).
Currently, only a handful of companies are listed as adherents to the Cloud CoC. However, over time the Cloud CoC is likely to become a standard that cloud service customers will demand of cloud service providers since adherence to an approved code of conduct is an element that can demonstrate a processor’s compliance with Article 28 of the GDPR.
Therefore, if you are a cloud service provider, you should consider adhering to the Cloud CoC. If you are a business customer of cloud services, you should be familiar with the Cloud CoC and begin discussing the requirements with your cloud service provider.
WHAT DOES THE CLOUD CoC APPLY TO?
The Cloud CoC only applies in the context of business-to-business cloud services where the cloud service provider acts as a processor under Article 28 of the GDPR.
HOW DOES A COMPANY DEMONSTRATE ADHERENCE TO THE CLOUD CoC?
In order to demonstrate adherence to the Cloud CoC, a cloud service provider must be a current member of the General Assembly of the EU Cloud Code of Conduct. Membership is available to any cloud service provider and can be applied for online. Members must pay a fee and sign a Declaration of Adherence Agreement by which the company agrees with the principles of the Cloud CoC. Adherent companies are listed on the EU Cloud CoC website.
CAN A COMPANY GAIN MEMBERSHIP TO THE GENERAL ASSEMBLY IF IT IS NOT YET COMPLIANT?
Yes. Companies are not expected to be compliant with the Cloud CoC immediately upon becoming a member. However, members should demonstrate and declare their adherence in a reasonable amount of time.
ARE CLOUD SERVICE PROVIDERS REQUIRED TO COMPLY WITH THE CLOUD CoC?
No. The adherence to the Cloud CoC is voluntary. Yet, over time it is likely to become a standard by which cloud service providers operating in the EU are judged. Adherence could become a competitive advantage.
HOW IS ADHERENCE DETERMINED?
SCOPE Europe is the accredited Monitoring Body that will verify compliance with the Cloud CoC. Verification occurs through an initial assessment, annual recurring assessments and ad-hoc assessments when deemed appropriate. A summary of what to expect during each of these types of assessments can be found on the EU Cloud Code of Conduct website.
The Cloud CoC provides for three different levels of compliance based on the amount of evidence submitted to the Monitoring Body (e.g., internal audit documentation, third-party certification and audits, and independent audits based on internationally recognized standards). However, adhering companies must comply, and at all time remain in compliance, with all provisions of the Cloud CoC and the associated controls regardless of the level of compliance.