The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a processor

On 20 May 2021, the Belgian Data Protection Authority (hereinafter DPA) has approved the first transnational code of conduct since the entry into force of the General Data Protection Regulation (hereinafter GDPR) on 25 May 2018. The EU Cloud Code of Conduct that was approved by the DPA aims to establish good data protection practices for cloud service providers and will contribute to a better protection of personal data processed in the cloud in Europe.


Pursuant to Art. 40 of the GDPR, codes of conduct are voluntary accountability tools that contribute to the proper application of the GDPR and that set out specific data protection rules for categories of controllers and processors. They can be a useful and effective instrument, providing a detailed description of what is the most appropriate legal and ethical set of behaviours of a sector. 

Proposals for codes of conducts can be made by trade associations or bodies representing a sector in order to help their sector to comply with the GDPR in an efficient and potentially cost effective way.


The EU Cloud Code of Conduct was founded in February 2017, after four years of close collaboration between the European Commission and the cloud computing community. A favourable opinion of the European Data Protection Board on 19 May 2021 paved the way for the DPA, which operates as the lead body behind the initiative, to now issue a formal approval. 

The EU Cloud Code of Conduct intends to address all service types of the cloud market (IaaS, PaaS, SaaS) and to create a baseline for implementation of GDPR for such services. It will provide practical guidance and define specific requirements for cloud service providers acting as a processor. Processors can use the adherence to an approved code of conduct as a way to demonstrate that sufficient guarantees referred to in Article 28 (1) and 28 (5) of the GDPR have been implemented. 

The scope of application of the EU Cloud Code of Conduct is rather limited (only processors offering cloud services). The EU Cloud Code of Conduct therefore does not apply in a B2C context or to any processing activities for which the cloud service provider may act as a data controller. Moreover, the EU Cloud Code of Conduct does not permit international transfers of personal data pursuant to Article 46 (2) (e) of the GDPR.

The main objective of the EU Cloud Code of Conduct is to concretize the requirements of Art. 28 of the GDPR. It gives practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, the right to audit, compliance with data subject rights requests, transparency and liability), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR.

The EU Cloud Code of Conduct is already fully operational and important tech giants offering cloud services, such as Google Cloud, Microsoft and IBM, have joined the EU Cloud Code of Conduct. 


Under Articles 40 and 41 GDPR, a code of conduct that involves processing activities must be monitored by an accredited monitoring body. Besides the approval of the EU Cloud Code of Conduct, the DPA has therefore accredited SCOPE Europe as the competent monitoring body, as it demonstrated compliance with all requirements. SCOPE Europe will be responsible for ensuring that code members respect the provisions of the EU Cloud Code of Conduct.

Hence, as a cloud service provider acting as a processor are you going to take the plunge and adopt this compliance and marketing tool? 

If you are still hesitating, feel free to contact us or read the approval decision of the DPA regarding the EU Cloud Code of Conduct that can be found here, as well as the accreditation decision regarding SCOPE Europe and the opinion of the European Data Protection Board.

Related : Lydian ( Mr. Bastiaan Bruyndonckx ,  Ms. LIese Kuyken )


Mr. Bastiaan Bruyndonckx Mr. Bastiaan Bruyndonckx
[email protected]
Ms. LIese Kuyken Ms. LIese Kuyken
[email protected]

Click here to see the ad(s)

Lastest articles by Mr. Bastiaan Bruyndonckx

Court of Justice of the European Union allows Reverse Engineering to Correct Errors

Licensees are in certain cases permitted to decompile software code without infringing the Software Directive. In a judgem...

Read more

A clear position of the ECJ: zero support for zero tariff options

A zero tariff option is a commercial practice whereby an internet access provider applies a ‘zero tariff’ (or ...

Read more

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements ...

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Faceb...

Read more

Checklist voorbereiding en implementatie procedure klokkenluiders

Werknemers spelen als klokkenluider een sleutelrol bij het onthullen en voorkomen van inbreuken op belangrijke wetgeving d...

Read more

Lastest articles by Ms. LIese Kuyken

Court of Justice of the European Union allows Reverse Engineering to Correct Errors

Licensees are in certain cases permitted to decompile software code without infringing the Software Directive. In a judgem...

Read more

European Commission publishes proposal for AI regulation

In recent years, artificial intelligence (AI) has been a popular buzzword and a hot topic that has caught the attention of...

Read more

The Digital Services Act package: proposals published

Since our last ezine on this topic, a lot has changed. On 15 December 2020 (initially announced for 2 December 2...

Read more

The Digital Operational Resilience Act (DORA): what (re)insurers and (re)insurance intermediaries...

In September 2020, the European Commission adopted the Digital Finance Package, including a digital finance strategy ...

Read more

LexGO Network