The EDPB adopted Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe.

The main objective of the EU Cloud Code is to concretize the legal requirements of Art. 28 GDPR and the relevant related articles of the GDPR. The EU Cloud Code is intended to address all service types of the cloud market (e.g. IaaS, PaaS, SaaS) and creates a “baseline for implementation of GDPR” for these services. Its purpose is to provide practical guidance and define specific requirements for the cloud service providers (“CSPs”). 

As known, Cloud computing consists of a set of technologies and service models that focus on the Internet-based use and delivery of IT applications, processing capability, storage, and memory space. 

The term "cloud computing" covers a variety of very distinct service provision models such as Cloud Infrastructure as a Service Cloud (“IaaS”), Cloud Software as a Service (“SaaS”), and Cloud Platform as a Service (“PaaS”). The term “IaaS” describes a situation in which a provider leases a technological infrastructure, i.e. virtual remote servers the end-user can rely upon in accordance with mechanisms and arrangements such as to make it simple, effective as well as beneficial to replace the corporate IT systems at the company’s premises and/or use the leased infrastructure alongside the corporate systems. When providing “SaaS”, a provider delivers, via the web, various application services and makes them available to end-users. These services are often meant to replace conventional applications to be installed by users on their local systems; accordingly, users are ultimately meant to outsource their data to the individual provider. When providing “PaaS”, a provider offers solutions for the advanced development and hosting of applications. These services are usually addressed to market players that use them to develop and host proprietary application-based solutions to meet in-house requirements and/or to provide services to third parties. 

The EU Cloud Code only applies to cloud services where the CSP is acting as a processor. It, therefore, does not apply to “business to consumer” (B2C) services or for any processing activities for which the CSP may act as a data controller. However, the Code is also relevant for consumers who will get additional guarantees of compliance when entrusting with their personal data a company that uses a processor which adheres to the Code .

News archive