On 20 May 2021, the Belgian Data Protection Authority (hereinafter DPA) has approved the first transnational code of conduct since the entry into force of the General Data Protection Regulation (hereinafter GDPR) on 25 May 2018. The EU Cloud Code of Conduct that was approved by the DPA aims to establish good data protection practices for cloud service providers and will contribute to a better protection of personal data processed in the cloud in Europe.
CODES OF CONDUCT?
Pursuant to Art. 40 of the GDPR, codes of conduct are voluntary accountability tools that contribute to the proper application of the GDPR and that set out specific data protection rules for categories of controllers and processors. They can be a useful and effective instrument, providing a detailed description of what is the most appropriate legal and ethical set of behaviours of a sector.
Proposals for codes of conducts can be made by trade associations or bodies representing a sector in order to help their sector to comply with the GDPR in an efficient and potentially cost effective way.
EU CLOUD CODE OF CONDUCT
The EU Cloud Code of Conduct was founded in February 2017, after four years of close collaboration between the European Commission and the cloud computing community. A favourable opinion of the European Data Protection Board on 19 May 2021 paved the way for the DPA, which operates as the lead body behind the initiative, to now issue a formal approval.
The EU Cloud Code of Conduct intends to address all service types of the cloud market (IaaS, PaaS, SaaS) and to create a baseline for implementation of GDPR for such services. It will provide practical guidance and define specific requirements for cloud service providers acting as a processor. Processors can use the adherence to an approved code of conduct as a way to demonstrate that sufficient guarantees referred to in Article 28 (1) and 28 (5) of the GDPR have been implemented.
The scope of application of the EU Cloud Code of Conduct is rather limited (only processors offering cloud services). The EU Cloud Code of Conduct therefore does not apply in a B2C context or to any processing activities for which the cloud service provider may act as a data controller. Moreover, the EU Cloud Code of Conduct does not permit international transfers of personal data pursuant to Article 46 (2) (e) of the GDPR.
The main objective of the EU Cloud Code of Conduct is to concretize the requirements of Art. 28 of the GDPR. It gives practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, the right to audit, compliance with data subject rights requests, transparency and liability), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR.
The EU Cloud Code of Conduct is already fully operational and important tech giants offering cloud services, such as Google Cloud, Microsoft and IBM, have joined the EU Cloud Code of Conduct.
Under Articles 40 and 41 GDPR, a code of conduct that involves processing activities must be monitored by an accredited monitoring body. Besides the approval of the EU Cloud Code of Conduct, the DPA has therefore accredited SCOPE Europe as the competent monitoring body, as it demonstrated compliance with all requirements. SCOPE Europe will be responsible for ensuring that code members respect the provisions of the EU Cloud Code of Conduct.
Hence, as a cloud service provider acting as a processor are you going to take the plunge and adopt this compliance and marketing tool?
If you are still hesitating, feel free to contact us or read the approval decision of the DPA regarding the EU Cloud Code of Conduct that can be found here, as well as the accreditation decision regarding SCOPE Europe and the opinion of the European Data Protection Board.