New GDPR Code of Conduct approved for Cloud Infrastructure Service Providers


The European Data Protection Board (EDPB) and the French Data Protection Authority (CNIL) approved the CISPE Data Protection Code of Conduct of Cloud Infrastructure Service Providers in Europe (CISPE Code) in line with Article 40 and 41 of the GDPR. The CISPE Code is a sector-specific code of conduct for Cloud Infrastructure Service Providers in Europe.

Applicability of the Code

The CISPE Code is addressed to cloud infrastructure service providers (CISP) and is applicable exclusively for IaaS cloud offerings, which is expected to make the CISPE Code more appealing for organisations seeking to demonstrate compliance for IaaS services.

The CISPE Code applies to the B2B context for cloud services where the cloud service provider acts as a processor under Article 28 of the GDPR. The Code, however, does not apply to B2C services or any processing activities for which the cloud service provider may act as a data controller, but can still be relevant for customers of cloud services since they will receive an additional guarantee of compliance when entrusting adherent cloud service providers.

Code facilitates GDPR compliance

The purpose of the CISPE Code is to define a self-regulating model for IaaS providers that is compliant with European data protection regulations. When accepting the Code, laaS providers will commit to using the personal data of customers in a conventional manner, and to processing and storing this data within EU/EEA territory.

The CISPE Code consists of a scope definition, data protection requirements, transparency requirements, adherence, and governance sections. For each GDPR requirement relevant in the context of the cloud infrastructure provision, the CISPE Code names a corresponding requirement with explanatory notes. These notes include a guidance on matters specifically addressing the IaaS offering, such as how to develop contractual terms and conditions of CISP services, CISP personnel and documenting compliance, and general GDPR requirements, such as sub-processing, data breach management, and data security.

Adherence monitoring

Organisations that declare adherence to the CISPE Code must verify ongoing compliance. The CISPE Code has appointed several external monitoring bodies in accordance with Article 41 of the GDPR. These monitoring bodies will oversee its application and ensure the compliance of adherent members with the provisions of the CISPE Code and take actions, such as levying sanctions if there are infringements to the Code.

Becoming adherent to the Code

There are two possible routes for IaaS providers to declare a service adherent to the CISPE Code:

  • Controlled adherence: audit by an independent third party, which verifies and certifies that the IaaS provider is bound by and compliant with the CISPE Code;
  • Self-assessment of compliance: assessment by the IaaS provider that it is compliant with the requirements and has signed a statement of commitment, using the model supplied in the Code.

Any company that joins the CISPE Code and pays the necessary fee is eligible to apply for one of the official CISPE trust marks:

  • Candidate mark: available to IaaS services and providers that have conducted a self-assessment against CISPE Code requirements, pending verification.
  • Compliant mark: awarded to services and providers for which compliance has been verified.

Main benefits of joining the CISPE Code

By declaring that their services adhere to the CISPE Code, cloud infrastructure service providers assure customers that the processing undertaken by the service is fully GDPR compliant. In addition, the main advantages of adherence to the CISPE Code include:

  • Specificity: the CISPE Code does not apply to all cloud service provision models, but is tailor-made for IaaS providers taking into account the specific issues of IaaS offerings.
  • Trust: adhering to a self-regulation mechanism approved by all European data protection authorities in order to build trust among customers.
  • Fostering Digital Sovereignty: the CISPE Code specifies that accredited services must offer the option to retain all personal data within the EEA. Freedom of choice for organisations develops cloud services that comply with the GDPR and data sovereignty requirements.
  • Best practices: the CISPE Code offers best practices for GDPR compliance and addresses key customer concerns.

You can download the CISPE Code here.

For more information on the CISPE Code and data protection the EU, contact your CMS client partner or CMS experts.

Article co-authored Anna Horváth.