On May 20, 2021, the Belgian Data Protection Authority (“Belgian DPA”), as the lead authority (in collaboration with two co-reviewing authorities), announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (the “EU Cloud CoC”). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation (the “GDPR”).
Pursuant to Recital 81 and Article 28 (5) of the GDPR, adherence of a processor to an approved code of conduct may be used as an element by which to demonstrate the sufficient guarantees referred to in Article 28 (1) and 28 (5) of the GDPR.
The EU Cloud CoC aims at creating a baseline for implementation of GDPR for all the service types of the cloud market. Its purpose is to offer cloud service providers with practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, audits, compliance with data subject rights requests, transparency, etc.), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR. A set of controls also will help assess compliance with the requirements of the EU Cloud CoC. Importantly, the EU Cloud CoC only applies to cloud service providers acting as processors and does not permit international transfers of personal data pursuant to Article 46.2(e) of the GDPR.
Under the GDPR, a code of conduct that involves processing activities must be monitored by an accredited monitoring body. Accordingly, the Belgian DPA also accredited Scope Europe as the monitoring body for the EU Cloud CoC. The EU Cloud CoC will be responsible for checking conformity of the adhering cloud service providers at least annually and on an ad-hoc basis if significant changes occur or in reaction to a complaint.
As part of the approval process, the European Protection Board provided a favorable opinion regarding the EU Cloud CoC.