The European Data Protection Committee (EDPS), made up of all the European data protection authorities, has today issued a favorable opinion on the compliance of the CISPE Code of Conduct with the General Data Protection Regulation ( GDPR). A work initiated in 2016.
“This is the first code to focus exclusively on the cloud infrastructure sector (Infrastructure-as-a-Service [IaaS]) and to cover the specific roles and responsibilities of IaaS providers “ensures the CISPE (Cloud Infrastructure Service Providers in Europe), which has European hosting providers in its members, as well as AWS. This will create confidence for customers and their users. ‘a declared IaaS service complies with the GDPR.
The CISPE Code of Conduct provides IaaS clients with service selection options that allow data to be processed entirely within the European Economic Area.
Consequences in the event of a compliance problem
It also ensures that cloud infrastructure service providers will perform data processing limited to only what is necessary to maintain or provide the service. And that they will not use their customers’ personal data for marketing or advertising purposes.
The ambition of this code of conduct is to help organizations across Europe accelerate the development of GDPR-compliant cloud-based services for consumers, businesses and institutions. On the customer side, the choice of a cloud host that avails itself of this code of conduct must allow it, in the event of a compliance problem, to demonstrate to the judge its good faith. Enough to reduce the fine from 4% of turnover to 2% if the argument of good faith is accepted ensures Alban Schmutz, president of CIPE and also VP public affairs of OVHcloud.
Finally, compliance with the CISPE Code of Conduct is verified by independent external auditors approved by the competent Data Protection Authority. Acting as “Control Bodies”, they reinforce the level of reliability of the services certified under the code.
“By choosing services declared to comply with the CISPE code, IaaS customers are assured of having reliable cloud infrastructures for the processing and storage of personal data in strict compliance with the GDPR” finally mentions the CISPE.
“Today, the CISPE code of conduct on data protection is becoming a reference tool for the entire cloud ecosystem: starting with cloud providers wishing to demonstrate their compliance with the GDPR, especially in Gaia-X framework. It will also be a reference for the ecosystem of European users wishing to identify infrastructures entirely hosted and operated in Europe, without reuse of their data. This code plays a key role in the construction of a strong European sovereign cloud “, declares Michel Paulin, CEO of OVHcloud.