Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

GDPR Compliance with EU Cloud Code of Conduct

Unlocking GDPR-Compliant Cloud Services with CSA and EU Cloud CoC

Illustration: EU Cloud Code of Conduct

The Cloud Security Alliance (CSA) has partnered with the EU Cloud Code of Conduct (EU Cloud CoC), a pioneer initiative setting market standards for robust data protection across the cloud sector. Starting January 2024, the CSA community will gain access to an approved and European Data Protection Board (EDPB)- endorsed GDPR compliance solution designed for cloud, replacing the CSA GDPR Code of Conduct.

This initiative is a pivotal resource for cloud users, granting them a broad overview of the available cloud offerings through the CSA STAR Registry. It equips them to make informed decisions when selecting cloud services, taking into account high standards for GDPR compliance. With a strong commitment to best practices in compliance and driven by abundant synergies, the collaboration's ultimate goal is the continuous development of robust, cloud-specific instruments, ensuring a secure and reliable cloud computing environment for businesses globally.

Learn more

Streamlining GDPR

Navigating GDPR compliance is challenging, however the EU Cloud CoC provides a strategic avenue for organizations to:

Take Action: Translate GDPR mandates into actionable steps.

Showcase Compliance: Adhere to a cloud-specific compliance tool fit to all service layers and endorsed by European data protection authorities.

Mitigate Legal Uncertainties: Significantly reduce the risk of fines and legal repercussions.

Build Customer Trust: Demonstrate your commitment to GDPR compliance and foster trust in your cloud services.

Path to Compliance and the STAR Registry

To display your GDPR compliance efforts in the CSA STAR Registry and reinforce commitment to industry best practices, check the following scheme to navigate our collaboration framework:

  1. Engagement with EU Cloud CoC: Companies interested in compliance with the Code shall engage directly with the EU Cloud CoC via its dedicated page, which displays all the necessary information to kick-off the process. All additional instructions for the submission and assessment processes will be provided by SCOPE Europe.
  2. Receiving the Code's Compliance Mark: Upon successful completion, the Monitoring Body grants the company with the EU Cloud CoC Compliance Mark and has its adherence listed in the EU Cloud CoC Public Registry.
  3. Inclusion in the STAR Registry: All cloud services that have successfully adhered to the EU Cloud CoC will also be displayed in the STAR Registry.

Note: The submission to the STAR Registry is exclusively managed by the SCOPE Europe as the EU Cloud CoC's Monitoring Body. Direct submissions from the cloud service provider are not accepted by CSA.

Get Started

Driving Trust with EU Cloud CoC

This collaboration is driven by the shared mission of establishing effective standards within the cloud industry. The EU Cloud CoC and CSA are combining their expertise to foster trust and facilitate the global dissemination of cloud services. This joint effort empowers the CSA community to declare adherence to the EU Cloud CoC through a dedicated framework.


STAR and EU Cloud CoC

Adherence to the EU Cloud CoC will be displayed on the CSA STAR Registry, where it will be replacing the CSA CoC for GDPR Compliance. The partnership with EU Cloud CoC gives STAR Program members the opportunity to extend the scope of their assurance, governance and compliance programs to GDPR. The collaboration has ambition to jointly set new standards for Privacy as it relates to cloud computing.

CSA Cloud Controls Matrix Logo

CCM and EU Cloud CoC

The EU Cloud CoC establishes a set of requirements that every cloud service should comply with to fulfill GDPR obligations, encompassing cybersecurity-related requirements. The Cloud Controls Matrix (CCM) serves as the tool to showcase adherence to the essential cybersecurity requirements outlined in the GDPR and the EU Cloud CoC.

Frequently Asked Questions

What was the discontinued CSA GDPR Code of Conduct, and how did it relate to PLA?

The CSA Code of Conduct for GDPR Compliance (CSA CoC) was developed by CSA to address GDPR compliance for Cloud Service Providers (CSPs) and Cloud Customers. The primary goal was to offer a solution for GDPR adherence while establishing transparency guidelines for the data protection levels provided by CSPs. Recognized as a "draft" Code of Conduct in accordance with Article 40 of the GDPR, the CSA CoC was comprised of two key Technical Components:

  1. Privacy Level Agreement (PLA): Serving as a technical standard, PLA outlines the requirements in the GDPR.
  2. And the adherence mechanisms associated with the CoC.

What does this mean for the CSA CoC for GDPR Compliance and the customers currently aligned with our Code?

The CSA CoC for GDPR Compliance will be discontinued, and we are no longer accepting new submissions, effective immediately. Cloud providers aligned with this standard will continue to be listed on the STAR Registry until the natural expiration of their code's validity period. Following this, we strongly recommend transitioning to the EU Cloud CoC as a replacement for the CSA CoC.

As a CSA Corporate or STAR Registry member, what are the advantages of this collaboration?

The collaboration between CSA and the EU Cloud CoC offers a streamlined GDPR compliance solution recognized and approved by European Authorities for organizations seeking adherence. Moreover, CSA Corporate and STAR Registry members can declare compliance under the EU Cloud CoC, enjoying a cost-effective process without the obligation of joining the EU Cloud CoC, thereby benefiting from a discounted rate on standard CoC adherence costs.

Who can declare adherence to the EU Cloud CoC via this collaboration?

Any Cloud Service Provider that is either a CSA Corporate Member or STAR Registry Member can declare adherence to the EU Cloud CoC via this collaboration.

How can the CSA Members declare adherence to the EU Cloud CoC?

Any interested Cloud Service Provider that wishes to obtain the EU Cloud CoC Compliance Mark must go through the assessment of the Code's accredited Monitoring Body (SCOPE Europe). The Declaration of Adherence is service-based, and shall be submitted via the the dedicated landing page.

Note that in order to declare services adherent to the Code through this collaboration, Cloud Service Providers must indicate their CSA membership category.

Who verifies adherence with the EU Cloud CoC?

According to the GDPR, compliance with an approved code of conduct must be overseen by an accredited Monitoring Body. SCOPE Europe is the accredited Monitoring Body of the EU Cloud CoC, and therefore responsible to verify compliance with the Code.

How does the adherence process work?

The Cloud Service Provider wanting to adhere to the EU Cloud CoC must submit its Declaration of Adherence form via EU Cloud CoC here. Following the submission of the Declaration of Adherence, the Code's Monitoring Body (SCOPE Europe) will transfer the given declaration into an online ticket and response system by which the process will be further governed.

What is the relation between CSA PLA and EU Cloud CoC?

The CSA Code of Conduct for GDPR Compliance (CSA CoC) was developed by CSA with the aim of providing CSPs and Cloud Customers a solution for GDPR compliance and to provide transparency guidelines regarding the level of data protection offered by the CSP. The CSA CoC qualified as a “draft” Code of Conduct pursuant to Article 40 GDPR.

The CSA CoC is based on two major Technical Components. Privacy Level Agreement (PLA) Control Specifications (which is a technical standard that specifies the requirements included in the GDPR), and the Adherence Mechanisms associated with the CoC. The PLA Control Specifications have been developed by the CSA PLA Working Group since 2013.

The PLA is structured to help CSPs, Cloud Customers, and potential Cloud Customers manage the implications of the EU data protection regime.


Related Resources