Skip to Main Content
Main Menu

EU Cloud Code of Conduct

The EU Data Protection Code of Conduct for Cloud Service Providers sets out clear requirements and recommended procedures for data protection in cloud services in compliance with GDPR to support accountability.

Are you subject to the EU Cloud Code of Conduct?

The EU Cloud Code of Conduct applies to all cloud services types in the market that is acting as a processor.

Expectations of the Code

The Code is meant to facilitate effective application of the GDPR and is designed to ensure a robust level of data protection and transparency, complemented by an independent monitoring function. 

Subprocessing guidance

Under the Code, cloud service providers must provide consent on authorized use of sub-processors as well as disclosures on changes.

Data subjects rights

The Code requires a data protection contact in order to assist in data subject rights outlined in GDPR. In addition there are specifics on the return or deletion of customer personal data upon termination of a cloud service agreement.

Best practice & oversight mechanisms

The Code outlines security objectives based on recognized standards (e.g., ISO 27001, ISO 27701, SOC 2, C5). For oversight mechanisms, a monitoring body must be able to perform independent reports. Cloud service providers should also provide a complaint mechanism and monitoring body in accordance with GDPR.


EU General Data Protection Regulation (GDPR)

The world’s most comprehensive data privacy and protection law requires organizations to adhere to 7 common principles, provide the ability to exercise the 8 individual rights, and demonstrate an ongoing commitment to data privacy.

EU Code of Conduct FAQ

  • Is the EU Cloud Code of Conduct required?

    The Code is a voluntary instrument in accordance with Article 40 GDPR. This code is an element for a cloud service provider to demonstrate sufficient guarantees in having implemented the appropriate technical and organization measures to meet GDPR requirements, especially when engaging sub-processors.

  • What is the purpose of the Code?

    The purpose is to make it easier and more transparent for customers to analyze whether Cloud Services are appropriate for their use case.

  • What are the key legal benefits of the Code with regard to data protection?

    An approved Code of Conduct can be used to demonstrate sufficient compliance under GDPR. It can also be used as a risk mitigator when conducting a Data Protection Impact Assessment (DPIA).

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top