The European Data Protection Board (EDPB) – comprising all the European Data Protection Authorities (DPA) – has provided a favourable opinion that the CISPE Data Protection Code of Conduct complies with the General Data Protection Regulation (GDPR).
Submitted by French DPA, CNIL, the CISPE Code is the first pan-European sector-specific code for cloud infrastructure service providers to reach this stage.
CISPE’s (Cloud Infrastructure Service Providers in Europe) pioneering code helps organisations across Europe accelerate the development of GDPR compliant cloud-based services for consumers, businesses, and institutions.
By selecting declared CISPE code-compliant services, IaaS customers are assured of trustworthy cloud infrastructures that adhere to data handling and storage practices in strict compliance with GDPR.
“The approval of the CISPE Code for data protection marks a major achievement, both for the industry and for end users, which will ensure transparent rules to protect the rights of European citizens in the digital age” stated Stefano Cecconi, VP CISPE and CEO Aruba S.p.A.
“We expect greater trust in service providers: data will be processed and stored in the European Economic Area and providers won’t be able to access customer records for any purpose besides maintaining or providing the agreed services.”
Alessandro Lervolino, DPO & CISO at Ducati Motor Holding S.p.A., one of the world’s leading motorcycle manufacturer companies and customer of Aruba said, “In the manufacturing and motorsport field, we need to collect and process significant amounts of data ensuring the maximum security of these data in terms of resilience and GDPR compliance.
“As such, it is essential that we have confidence that the cloud infrastructure services we rely upon are also fully compliant. Providers declaring services under the CISPE code give us a further level of guarantee that they provide this vital compliance”.
“GDPR was a welcome development, and the CISPE code brings clarity to its data protection requirements for cloud infrastructure providers,” added Alban Schmutz, president of CISPE the industry association behind the code.
“The CISPE Data Protection Code of Conduct gives cloud service providers an approved framework to demonstrate full compliance of their certified cloud services, providing concrete examples of what they and their customers are expected to do to protect data under GDPR rules.”
CISPE’s Code of Conduct is unique in three important ways. It is the first, and currently only, code to focus exclusively on the Infrastructure-as-a-Service (IaaS) sector and address the specific roles and responsibilities of IaaS providers not represented in more general codes.
The CISPE Code of Conduct creates confidence and trust amongst customers and their end users that a declared IaaS service is compliant with GDPR. It also assures them that cloud infrastructure service providers will only access or use customer data to maintain or provide the service and will not use customer data for marketing or advertising purposes.
While not required for GDPR compliance, many European businesses want to retain sovereignty over their data by ensuring that it remains within the EU.
Uniquely, the CISPE Code of Conduct gives IaaS customers explicit options to select services that enable data to be processed entirely within the European Economic Area.
As such the CISPE Code of Conduct also promotes data protection best practices which support the EU’s GAIA-X initiative to develop European cloud data services.
Compliance with the CISPE Code of Conduct is verified by independent, external auditors accredited by the relevant Data Protection Authority. Acting as “Monitoring Bodies” these strengthen the level of assurance provided by services certified under the code.
The CISPE Code of Conduct offers a diverse portfolio of independent monitoring bodies allowing for a broad range of services and price points to suit the diversity of businesses in the burgeoning cloud infrastructure sector.
GDPR compliance can be complex and expensive, especially for SMEs and start-ups. These organisations often rely heavily on IaaS and will widely benefit from the ease of use and cost-effectiveness of the CISPE Code of Conduct.
“CISPE was the first organisation in any industry to engage and work hand-in-hand with the regulator and EU institutions to define a code that goes beyond GDPR requirements to protect the interests of infrastructure providers, their customers, and end-users,” added Schmutz.
“The use of cloud infrastructure has become key for any business or public administration that wants to undergo digital transformation. It is crucial that their data is handled securely and in compliance with the GDPR,” commented MEP Eva Maydell.
“This is why, since day one, I supported the CISPE Code of Conduct and I am very glad to see today that their consistent efforts pay off.”
Cloud service providers (CSPs) which adopt the CISPE Code of Conduct benefit from practical and operational guidance as well as being bound by a set of enforceable rules that ensure GDPR compliance for their services.
Final formal approval of the code will be given by the competent authority (the CNIL).