Data Protection, Europe approves Code of Conduct on Cloud Services
The CISPE Code of Conduct is the first industry-specific European code for cloud infrastructure service providers (under Article 40 of the European Union’s GDPR) that receives the green light from the European Data Protection Board (EDPB).
On 3 February 2022, CISPE, the voice of Cloud Infrastructure Service Providers in Europe, announced that companies such as
Aruba
,
Amazon Web Services
,
Elogic
, Leaseweb, Outscale and OVHCloud are the first members to declare that their services comply with their Data Protection Code of Conduct . The CISPE Code of Conduct is the first General Data Protection Regulation (GDPR) code of conduct specifically designed for Cloud Infrastructure Service Providers.
Automated Compliance & Partnership with GAIA-X
All declared services must be verified by one of the three independent monitoring bodies accredited by
the CNIL:
Bureau Veritas
,
LNE
and
EY CertifyPoint
. Controlled adherence by independent monitoring bodies provides cloud infrastructure customers with an additional layer of assurance when developing GDPR-compliant services in the cloud.
As a compliance tool validated by data protection authorities, the CISPE Code will be able to provide an additional guarantee of the compliance of Cloud services with European legislation.
The CISPE Code is the first tool approved by the EDPB to go beyond the requirements of the GDPR by certifying services to ensure the non-reuse of customer data and to provide customers with the choice to use the services to store and process customer data exclusively in the European Economic Area (EEA).
A key goal of the GAIA-X project is to provide automated compliance to digitally create transparency and trust. Together with GAIA-X, CISPE has used its Data Protection Code of Conduct to issue verifiable credentials according to the W3C standard.
These allow GAIA-X to automatically verify claims of compliance with data protection and data localization provisions.
The benefits of the Code of Conduct
SECURITY. Many European businesses want to maintain better control over their data by ensuring that it stays within the European Union. The CISPE Code of Conduct provides IaaS customers with explicit options to select services that allow data processing entirely within the European Economic Area. As such, it also promotes data protection best practices that support the EU’s GAIA-X initiative for the development of European federated cloud data services.
COMPLIANCE. Compliance with the CISPE Code of Conduct is verified by independent external auditors accredited as “Supervisory Bodies” by
the competent European Data Protection Authority
. The independent “Supervisory Bodies” strengthen the level of guarantee provided by the services declared under the Code.
FOCUS. It is the first and only code to focus exclusively on the Infrastructure-as-a-Service (IaaS) industry and address roles and responsibilities specific to IaaS providers, which cannot be represented in general, multi-purpose code. The CISPE Code of Conduct creates trust for end users that a declared IaaS service is GDPR compliant. The stated service providers will only access or use customer data to maintain or provide the service and will not use customer data for marketing or advertising purposes.
