News & Views

Data Protection in Cloud: Cloud Providers to Establish New Code of Conduct in Anticipation of GDPR

23 February 2017

Author: Erkko Korhonen

The Cloud Infrastructure Services Providers in Europe (the “CISPE”), a coalition of technology companies focused on the provision of cloud computing infrastructure services across Europe (such as cloud tech giant Amazon Web Services), has established a new voluntary Data Protection Code of Conduct (the “Code”) to help cloud customers ensure that their cloud infrastructure provider is using appropriate data protection standards. According to the CISPE, the new Code has been constructed in such a way that it will be aligned with the GDPR when it comes into force in May 2018.


The Code addresses, for example, issues of data security, notification around data breaches, data deletion, and third-party sub-processing, as well as law enforcement and governmental requests. According to the CISPE, under the Code, cloud infrastructure providers cannot data mine or profile cloud customers’ personal data for marketing, advertising, or similar activities, for their own purposes or for the purpose of reselling to third parties. Moreover, the cloud providers certified under the Code must offer their customers the ability to exclusively process and store data within the EU or EEA territories. The Code also provides mechanisms for filing complaints to the CISPE in case a cloud provider who adheres to the Code has breached the Code.


The Code also provides that a trust mark may be awarded to cloud infrastructure providers who comply with the Code for the purpose of showing customers that they adhere to the standards of the Code. Also, a list of all cloud infrastructure services that comply with the Code are available on the CISPE’s public register.


It should be noted that the Code does not (yet) have the status of a “code of conduct” within the meaning of the GDPR, as it has not been approved by the competent authorities in the manner provided for in Article 40 of the GDPR. However, from the point of view of a cloud customer, the Code serves in any case as a good checklist for the data protection requirements to be considered, and agreed upon, when contracting for cloud infrastructure services.