Transnational Codes of Conduct: Ensuring consistency and data subject rights through co-regulation

Co-regulation is one of the key concepts of the General Data Protection Regulation (GDPR). The GDPR formalises a model in which controllers and processors voluntarily hold themselves accountable and show their compliance with data protection laws. One of the most popular examples of co-regulation are codes of conduct, which help to facilitate the effective application of the GDPR. The European Data Protection Board considers codes of conduct as a practical and potentially cost-effective tool to ensure greater consistency and foster the right to privacy and data protection of data subjects whose data is being processed by the members of the codes.

Therefore, the EDPB encourages associations or other bodies representing categories of controllers or processors to draw up codes of conduct. Moreover, the EDPB plays an active role in the approval process of transnational codes of conduct by ensuring the consistent application of the GDPR when a supervisory authority intends to approve a code that relates to processing activities in several Member States.

During its last plenary session, the EDPB issued two positive opinions on the first two transnational codes under the GDPR: the EU Data Protection Code of Conduct for Cloud Service Providers submitted by Scope Europe (EU Cloud) and the Code of Conduct for Cloud Infrastructure Service Providers submitted by Cloud Infrastructure Service Providers (CISPE). The code owners identified the Belgian supervisory authority and the French supervisory authority (SA) as the competent authorities. The code owners also demonstrated that they are effective representative organizations of the cloud industry.

It is interesting to note that the first two codes deal with the issue of cloud computing technology, largely used in the information society. In the opinion of the EDPB, both codes sufficiently take into account the specificity of the cloud computing sector. The EU Cloud covers processing by providers of all service types of the cloud market: Cloud Infrastructure as a Service (“IaaS”), Cloud Software as a Service (“SaaS”) and Cloud Platform as a Service (“PaaS”) model, while the CISPE Code applies to the specific features of processing by IaaS providers. These Codes aim to provide practical guidance and define specific requirements (i.e. Art. 28 GDPR and relevant related articles) for processors that are subject to them. Thus, both codes apply only to situations where a cloud service provider is acting as a processor.

The Board considers that both documents fulfil the conditions set out in the GDPR. In particular, the codes develop requirements for its members that are unambiguous, concrete, attainable and enforceable. They also ensure transparency for all codes’ members and - this is of key importance - for data subjects.

With respect to the monitoring of compliance with the code, both codes identify an appropriate body that is able to provide for the effective monitoring of compliance. It should be noted that codes of conduct are not operational until the designated monitoring body is accredited by the national data protection supervisory authorities (in this case, the BE and FR SAs). From the EDPB perspective, it is also crucial that the codes set out an appropriate review mechanism to ensure that the code remains up to date with legal and technical standards.

These codes will ensure greater consistency among the cloud sector and, due to their transnational nature, entities from across the European Economic Area (EEA) may adhere to them. As such, the codes will help uphold the data protection rights of data subjects across the EEA. 

At the same time, it is important to underline that the codes assessed by the Board are not codes of conduct according to article 46(2)(e) GDPR, i.e. they are not meant for international transfers of personal data and therefore do not provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations.

Both codes will undoubtedly contribute to a high level of protection of personal data in the cloud. At the same time, it is crucial to stress that, while adherence to a code may be used as an element to demonstrate compliance with data protection obligations, it does not prevent data protection authorities from exercising their enforcement powers and prerogatives.

To learn more about codes of conduct please consult the EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679

The EDPB opinions on the first transnational codes are available here: Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe | European Data Protection Board (europa.eu)

and here: Opinion 17/2021 on the draft decision of the French Supervisory Authority regarding the European code of conduct submitted by the Cloud Infrastructure Service Providers (CISPE) | European Data Protection Board (europa.eu)

For more information on the approval of the EU Cloud Code of Conduct, please consult the statement issued by the Belgian SA: https://www.dataprotectionauthority.be/citizen/the-be-dpa-approves-its-first-european-code-of-conduct

For more information on the CISPE Code of Conduct, please contact the French SA: https://www.cnil.fr/