Background and Overview of the EU Cloud Code of Conduct
The General Data Protection Regulation (GDPR), which became effective in 2018, requires adoption of technical and organizational measures for controllers and processors of personal data to demonstrate compliance with the GDPR. The GDPR outlines Codes of Conduct in Article 40 as a way for organizations to demonstrate compliance against an approved and recognized set of best practices.
On May 19th, 2021, the European Data Protection Board (EDPB) adopted the EU Cloud Code of Conduct, which was then adopted by the Belgian Data Protection Authority on May 20th. This is significant as this Code was designed specifically for cloud service providers. Adherence to the Code is voluntary; however, compliance will help controllers to identify processors that adhere to the GDPR.
Who does it apply to?
The EU Cloud Code of Conduct (Code) applies to cloud service providers (CSP) (e.g., IaaS, PaaS, or SaaS) acting in the role as a processor to certify the in-scope cloud services as compliant with the EU recognized Code of Conduct. The cloud services that are included in the scope can include all cloud service offerings or a portion of the services. Selection of the cloud services to include in the scope is up to the CSP.