The Belgian data protection authority approves the first EU code of conduct for cloud service providers
On May 20, 2021, the Belgian Data Protection Authority (“Belgian Data Protection Authority”) as the lead authority (in collaboration with two co-reviewing authorities) announced that it had approved the EU Code of Conduct for Data Protection for Cloud Service Providers (the “EU Cloud CoC” ). The EU Cloud CoC is the first transnational EU code of conduct since the EU General Data Protection Regulation (“GDPR”) came into force.
According to Recital 81 and Article 28 (5) of the GDPR, a processor’s compliance with an approved code of conduct can be used as an element to demonstrate the sufficient guarantees referred to in Article 28 (1) and Article 28 (5). of the GDPR.
The EU Cloud CoC aims to create a basis for the implementation of the GDPR for all service types in the cloud market. The aim is to provide cloud service providers with practical guidance and a set of specific mandatory requirements (e.g. requirements regarding the use of subprocessors, audits, compliance with data subject rights requirements, transparency, etc.) as well as goals and support for cloud -Service providers on demonstrating compliance with Article 28 of the GDPR. A number of controls will also help to assess compliance with the requirements of the EU Cloud CoC. It is important that the EU Cloud CoC only applies to cloud service providers who act as processors and does not allow any international transfer of personal data in accordance with Article 46.2 (e) of the GDPR.
According to the GDPR, a code of conduct that includes processing activities must be monitored by an accredited monitoring body. Accordingly, the Belgian data protection authority has also accredited Scope Europe as a monitoring body for the EU Cloud CoC. The EU Cloud CoC is responsible for checking the conformity of the attached cloud service providers at least once a year and on an ad hoc basis if significant changes occur or a complaint is responded to.
As part of the approval process, the European Protection Board issued a positive opinion on the EU Cloud CoC.
Read the Belgian DPA approval decision related to EU Cloud CoC, the accreditation decision related to Scope Europe and the Belgian DPA press release.