policy monitor

Belgium - EU Cloud Code of Conduct

The Belgian Data Protection Authority has approved the first transnational code of conduct for cloud service providers. The Code of Conduct is the first to be launched since the GDPR applies within the EU. The "EU Cloud CoC" aims to recommend good practices around data protection in order to contribute to better protection of personal data processed in the cloud. More concretely, the code is a voluntary tool that allows a cloud service provider to evaluate and demonstrate compliance with the requirements of the code, either through self-assessment and a self-declaration of compliance and/or through third-party certification.

What: Code of Conduct and Guidelines

Impact score: 2

For whom: Cloud service providers, service providers

URL: https://eucoc.cloud/en/home/

Summary

The code is a private initiative drafted in consultation with various authorities and was now approved by the Belgian Data Protection Authority. It complies with article 40 of the GDPR:

“The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.”

The European code of conduct translates requirements around the GDPR (including Article 28) into a practical implementation and this for the entire spectrum of cloud services: infrastructure (IaaS), platform (PaaS) and software (SaaS). The code aims to harmonise legislative requirements concerning cloud environments throughout Europe.

It provides guidance - for both data controllers and processors - on issues such as audit rights, the deletion and return of customer data, security measures and transparency requirements (which in the latter case go beyond the GDPR-standard). In practice, this will mean that existing processing agreements will need to be reviewed, likely in conjunction with Schrems 2-related updates.

In addition, the Code of Conduct should make it easier for cloud customers (especially small and medium-sized enterprises and public authorities) to determine whether certain cloud services are fit for their intended purpose. Moreover, the transparency created by the Code will contribute to a climate of trust and establish a high level of data protection in the European cloud computing market.

It applies only to "business-to-business" (B2B) cloud services where the provider acts as a processor. Hence, it does not apply to "business-to-consumer" (B2C) services or for processing activities for which the provider may act as a data controller.

The code consists of four major chapters:

  • Data protection: this section describes the substantive rights and obligations of parties to the code, based on some core principles. These include purpose limitation, data transfers, security, auditing, liability and data subjects rights
  • Security requirements: this section describes how providers and their cloud services must comply with appropriate technical and organizational requirements.
  • Monitoring and compliance: Compliance with the guidelines is monitored by SCOPE Europe. There is a three-level compliance framework
    • Level one: The provider must conduct an internal review and document the implemented measures.
    • Level two: Complementary to the first level, compliance with the code is partially supported by independent certificates and third-party audits.
    • Level three: Identical to the second level, but compliance here is fully supported by independent certificates and third-party audits

The code of conduct around the GDPR requirements regarding cloud activities can be found on the EU Cloud CoC website. Anyone who wants to get a statement as a company that it follows the guidelines must pay for it.