The CISPE Data Protection Code of Conduct is the first pan-European sector-specific code approved for cloud infrastructure service providers under the European Union’s General Data Protection Regulation (AVG). The approval was confirmed by the European Data Protection Board (EDPB), which includes all 27 national privacy regulators from the European Union (EU).
Last week, the alliance of Cloud Infrastructure Services Providers in Europe (CISPE) announced that a great number of leading cloud services providers in Europe were meeting the requirements of the SWIPO (Switching Cloud Providers and Porting Data) Codes of Conduct for Infrastructure (IaaS). These companies include: 3DS Outscale, Aruba, Amazon Web Services (AWS), CoreTech, OVHcloud, Infoclip, Irideos, Leaseweb, and Scaleway.
The ground-breaking CISPE code helps organizations including end-clients, Infrastructure-as-a-Service (IaaS) hosting providers and managed service providers (MSPs) across Europe build AVG-compliant cloud-based services. End-clients and MSPs who select CISPE Code compliant IaaS cloud services can rest assured that their data will be processed in accordance with the AVG.
“Leaseweb Global – one of the early members of CISPE and a Dutch headquartered, globally operating hybrid cloud hosting provider – fully embraces GDPR regulations worldwide to benefit our international customer base,” said Jacqueline van de Werken, CISPE Board Member and Group General Counsel & DPO for Leaseweb Global. “We are proud and we value the importance that the CISPE Data Protection Code of Conduct has been confirmed by the European Data Protection Board as the first pan-European code for cloud infrastructure provider.”
CISPE’s Code of Conduct is the first, and currently the only, code that focuses exclusively on the IaaS hosting sector and goes deeper into the specific roles and responsibilities of IaaS providers that are missing from more general codes. The CISPE Code of Conduct is intended to create trust with MSPs and IaaS end users by ensuring that a certified IaaS service is fully compliant with the AVG.
“The AVG was a welcome development and the CISPE Code now also provides clarity around data protection requirements for cloud infrastructure providers,” said Alban Schmutz, president of CISPE (Cloud Infrastructure Service Providers in Europe), the industry association behind the code. “The CISPE Data Protection Code of Conduct provides cloud service providers with an approved framework to demonstrate that their certified cloud services are fully compliant and to provide concrete examples of what is expected of them and their customers to protect data under AVG rules.”
The EU’s GAIA-X Initiative
While not a requirement for AVG compliance, many European customers would prefer their data to remain within the EU to maintain some control over their data. In this context, the CISPE Code of Conduct offers IaaS customers the unique opportunity to explicitly select services where data is processed entirely within the European Economic Area. In this sense, the CISPE Code of Conduct also promotes data protection best practices that support the EU’s GAIA-X initiative to develop European cloud-based data services.
Compliance with the CISPE Code of Conduct is verified by independent, external auditors accredited by the relevant data protection authority. As ‘supervisory authorities’ they endorse the guarantees of the services certified in accordance with the code. The CISPE Code of Conduct offers a diverse range of independent audit bodies, at the discretion of CISPE.
“CISPE was the first organization in any sector to commit and join hands with the regulator and EU institutions to create a code that goes beyond AVG requirements to protect the interests of infrastructure providers, their customers and end users,” added Schmutz.
“Cloud infrastructure is the foundation of our digital economy, so it needs to be robust and reliable so that we can build reliable digital services for citizens and government agencies with full confidence that we are compliant with the AVG,” said Member of European Parliament (MEP), Eva Maydell. “That is why I have supported the CISPE Code of Conduct from the beginning and am pleased that the ongoing efforts have borne fruit.”
Launched in April 2018 and facilitated by the European Commission, the SWIPO initiative developed two Codes of Conduct for both Cloud infrastructure and Software as a Services. Both codes were handed over to the European Commission in November 2019. SWIPO AISBL non-profit association was created to manage service declarations against both codes. This mechanism and the possibility to declare services became available in 2021.
CISPE is an association of cloud infrastructure service providers in Europe. CISPE has 34 members with global headquarters in 14 EU Member States. CISPE has developed the first GDPR code of conduct which encourages the storage and processing of personal data exclusively in Europe.
Since 2017, with EuroCIO and then with CIGREF, CISPE has co-chaired the working group developing industry Codes of Conducts which facilitate and enable data portability. This was established by the European Commission within the framework of EU Regulations on the Free Flow of non-personal Data. In addition, CISPE is among the 22 founding members of the GAIA-X initiative and the convener of the Climate Neutral Data Centre Pact.