What is the Code of Conduct?

Cloud Infrastructure Service Providers in Europe (CISPE) is a coalition of more than 20 cloud infrastructure providers operating in Europe.

The CISPE data protection Code of Conduct provides a framework to ensure that the data processing activities carried out by Cloud Infrastructure Service Providers (CISPs) are compliant with the current Data Protection Directive and the General Data Protection Regulation (GDPR) which will come into force in May 2018.

In order to demonstrate compliance, CISPs will have to comply with a set of data protection and transparency requirements.

The Code is intended to guide customers (particularly SMEs) in assessing whether the cloud infrastructure services they wish to use are suitable for the data processing activities they wish CISPs to perform.

Who does the Code apply to?

The Code applies to:

  • providers of infrastructure-as-a-service (referred to as CISPs in the Code) only (i.e. not providers of software-as-a-service)
  • CISPs acting in their capacity as data processors (rather than data controllers) under applicable EU data protection law.

What are the Code Requirements?

There are two main sets of Code Requirements:

  • The Data Protection Requirements – these clarify the CISP’s role as a processor under the applicable EU data protection law in the context of cloud infrastructure services and cover requirements for security and customer consent amongst other things.
  • The Transparency Requirements – the Code of Conduct provides a list of 6 objectives to ensure that CISPs are transparent about their services.

The CISP must also give the customer an option to specify that their data will be stored and processed entirely within the EEA, a requirement that customers are increasingly choosing to specify themselves in order to simplify compliance with EU data protection law’s international transfer restrictions.

What is the procedure?

The CISP may declare adherence to the Code Requirements for all or any of its cloud infrastructure services and may use a Compliance Mark to advertise its compliance.

In order to use the Compliance Mark, the CISP must submit a Declaration of Adherence which can be supported by:

  • self-assessment by the CISP
  • certification by an independent third party.

The service declared as complying with the Code must meet all the Code Requirements. If the CISP fails to satisfy all the Code Requirements for the services in question, it will be subject to enforcement mechanisms such as the suspension or revocation of its Declaration of Adherence.

As a practical point, CISPs will need to ensure that any agreements with new customers do not contradict the Code Requirements – this should be done before declaring adherence.

What does this mean for businesses?

The Code is intended to facilitate trust between CISPs and their customers. For CISPs, obtaining a Compliance Mark is a good way to illustrate best industry practice and can be used to expand client bases.

For customers, although adherence with the Code does not guarantee a CISP’s compliance with the law, it can help to narrow down a list of potential CISPs and reduce the risk of unlawful processing.