On May 20, 2021, the Belgian Data Protection Authority approved their transnational code of conduct (CoC) – the EU Cloud CoC – following a favorable opinion issued by the European Data Protection Board (EDPB) on May 19, 2021. The aim of the CoC is to help establish data protection best practices for Cloud Service Providers (CSPs) as well as contributing to a greater level of personal data protection in the European cloud industry.
It was announced by the Belgian DPA that the EU Cloud CoC will be monitored by SCOPE Europe, which will ensure CSPs are observing the provisions of the EU Cloud CoC. It was also announced in the press release that, following the EDPB opinion, the EU Cloud CoC would be immediately operational with CSPs.
Speaking on the introduction of the EU Cloud CoC , David Stevens, Chairman of the Belgian Data Protection Authority stated: “Not only are codes of conduct an efficient way to ensure the effective implementation of the GDPR in a specific sector, they also help build confidence between the sector and the data subjects. We hope to see more initiatives to create codes of conduct, especially for sectors that regularly collect and process sensitive data or large amounts of personal data.”
What is the EU Cloud Code of Conduct?
The EU Cloud CoC is a set of requirements that help CSPs demonstrate their ability to comply with the GDPR. In particular, the code is designed to be a sufficient guarantee relating to the application of Article 28.5 of the GDPR by providing a comprehensive list of essential requirements for CSPs in their role as a data processor. The Belgian Data Protection Authority has stated the EU Cloud CoC is a measure to help harmonize the interpretation of GDPR provisions for the EU cloud sector.
The EDPB has stated that the code of conduct should not be used in the context of international transfers of personal data but it may be used as an element to demonstrate legal compliance. However, the EU Cloud CoC General Assembly has stated that it will “take the challenge and is willing to draft an effective but accessible safeguard for third country transfers by means of a separate on-top module to the Art. 28.5 GDPR Code.”
The Code is a voluntary instrument that includes a section on governance to help support the transparency, management, and evolution of the code. Furthermore, the Belgian DPA has outlined that the intention of the EU Cloud CoC is to simplify the decision of whether a CSP is appropriate for its intended purpose, particularly in the case of small and medium enterprises (SMEs) and public entities.
Overall, the EU Cloud CoC aims to create a greater level of transparency for CSPs’ application of the GDPR as well as helping to develop trust and a high level of data protection as default in the European CSP industry.