Newly Approved GDPR Code of Conduct for SaaS and Cloud Service Providers

The Belgium Data Protection Authority has approved a first-of-a-kind GDPR Code of Conduct for cloud services providers acting as data processors. The Code of Conduct will be administered by Scope Europe, a Belgium company. It is aimed at companies providing cloud-based Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS) who wish to be accredited to the code of conduct as a means to demonstrate their compliance with the GDPR’s rules applicable to processors.

The Code of Conduct covers various obligations that the GDPR imposes on data processors, such as the use of sub-processors, the obligation to appoint an EU representative and a DPO, assistance with personal data breaches, records of processing activities, information security, contractual relationship with the customer (the controller), cross-border data transfers, and more.

The Code of Conduct offers service providers three levels of compliance which correspond to three levels of evidence that are submitted to Scope Europe. The first level is verification by documents submitted to Scope Europe; The second level is hybrid verification partially by third part audits for comparable international standards and partially through verification by documents submitted to Scope Europe; The third level is complete verification by third-party audits for comparable international standards.

CLICK HERE to read the Belgian Data Protection Authorities’ decision approving the Code.

CLICK HERE to read the European Data Protection Board’s decision supporting the Code.