Skip to content
Guidance · EDPB ·162021-on-the-draft-decision-of-the-belgian EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe

Summary

Adopted Opinion 16/2021 on the draft decision of th e Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe Adopted on 19 May 2021 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64(1) ( b ) and Article 4 0 of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of…

How it connects

Full text

Adopted Opinion 16/2021 on the draft decision of th e Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe Adopted on 19 May 2021 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64(1) ( b ) and Article 4 0 of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the European Economic Area (hereinafter “ EEA ”) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to Article s 10 and 22 of its Rules of Procedure . Whereas: (1) Member States, Supervisory Authorities , the European Data Protection Board and the European Commission shall encourage the drawing up of codes of conduct (hereinafter “code”) to contribute to the proper application of the GDPR 2 . (2) The main role of the European Data Protection Board (hereinafter “the EDPB”) is to ensure the consistent application of the GDPR when a supervisory authority (hereinafter “SA”) intends to approve a code of conduct that related to processing activities in s everal Member States (hereinafter “ transnational code”) pursuant to A rticle 40.7 GDPR and to the Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (hereinafter the “Guidelines”) . (3) The EDPB welcomes and acknowled ges the efforts made by the associations and others bodies representing categories of controllers or processors to elaborate codes of conduct which are practical and potentially cost effective tools to ensure greater consistency among a sector and foster t he right to privacy and data protection of data subjects by increasing transparency. (4) This opinion aims to ensure the consistent application of the GDPR, including by the SAs , controllers and processors and to highlight the core elements which each code of conduct has to develop. (5) Taking into account the specific characteristics of the sector concerned, each code of conduct should be addressed individually and is without prejudice of the assessment of any other code of conduct. The EDPB recalls that Codes re present an opportunity to establish a set of rules which contribute to the proper application of the GDPR in a practical, transparent and potentially cost - effective manner that takes on board the specificities for a particular sector and/or its processing activities. (6) The EDPB underlines that codes of conduct are voluntary accountability tool s , and that the adherence to a code does not prevent SAs from exercising their enforcement power and prerogatives. (7) The present code is not a code of conduct according to A rticle 46(2)(e) meant for international transfers of personal data and therefore does not provide appropriate safeguards within the framework of transfers of personal data to third countries or intern ational organisations under the 1 References to “Member States” made throughout this opinion should be understood as references to “EEA Member States”. 2 Article 40(1) of the GDPR . 4 Adopted terms referred to in p oint (e ) of A rticle 46 (2). Indeed, any transfer of personal data to a third country or to an international organisation, shall take place only if the provisions of chapter V of the GDPR are respected. (8) The opinion of the EDPB shall be adopted, pursuant to Article 64(3) GDPR in conjunction with Article 10(2) of the EDPB Rules of Procedure, within eight weeks after the Chair has decided that the file is complete. HAS ADOPTED THE FOLLOWING OPINION : 1 SUMMA RY OF THE FACTS 1. In accordance with the cooperation procedure as set out in guidelines on codes of conduct 3 , the “EU Data Protection Code of Conduct for Cloud Service Providers” (“EU Cloud Code ” or “Code” ) was reviewed by the Belgian Supervisory Authority as the Competent Supervisory Authority (hereinafter the “CompSA”). 2. The EU Cloud Code has been reviewed according to the procedures set up by the EDPB. 3. The BE SA has submitted its draft decision regarding the EU Cloud Code , requestin g an opinion of the EDPB pursuant to Article 64(1)(b) GDPR on 29 February 2021. The decision on the completeness of the file was taken on 31 March 2021. 2 ASSESSMENT 2.1 The Code of conduct meets the needs of the secto r 2.1.1 P resentation of the sector 4. Cloud computin g consists of a set of technologies and service models that focus on the Internet - based use and delivery of IT applications, processing capability, storage and memory space. 5. The EU Cloud Code aims to contribute to the proper application of the GDPR, takin g into account the specific features of the cloud computing sector. 6. The term "cloud computing" covers a variety of very distinct service provision models such as Cloud Infrastructure as a Service Cloud (“IaaS”), Cloud Software as a Service (“ SaaS ”) and Clo ud Platform as a Service (“PaaS”). The term “IaaS” describes a situation in which a provider leases a technological infrastructure, i.e. virtual remote servers the end - user can rely upon in accordance with mechanisms and arrangements such as to make it simple, effective as well as beneficial to replace the corporate IT systems at the company’s premises and/or use the leased infrastructure alongside the corporate systems . When providing “ SaaS ”, a provider delivers, via the web, various application service s and makes them available to end - users. These services are often meant to replace conventional applications to be installed by users on their local systems; accordingly, users are ultimately meant to outsource their data to the individual provider. When p roviding “ PaaS ”, a provider offers solutions for the advanced development and hosting of applications. These services are usually addressed to market 3 Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/676 adopted by the EDPB on 4 June 2019. 5 Adopted players that use them to develop and host proprietary application - based solutions to meet in - house require ments and/or to provide services to third parties. 2.1.2 The code owner as a representative organisation 7. C odes of conduct must be submitted for approval to the supervisory authority which is competent in accorda nce with A rticle 55 of the GDPR . In case of transnational codes, w hen identifying the competent SA, some factors could be taken into account, for example, the location of the largest density of the processing activity or the location of the code owner’s headquarters. 4 8. The EU Cloud Code owner is “Sc ope Europe” a n on - p rofit a ssociation established in Belgium. 9. The code owner has identified the Belgian supervisory authority as the competent supervisory authority for the purposes of seeking approval of the Eu Cloud Code . The code owner has justified its choice in the code of conduct based on the fact that the code owner’s and monitoring body’s head quarters are based in Belgium. 10. I n accordance with Article 40 (2) GDPR, a code of conduct has to be prepared by associations or others bodies representing categ ories o f controllers or processors (code owners). Because the code owner plays a major role in ensuring consistency and harmonization of practices within the sector concerned by the code, it has to demonstrate to the CompSA that it is an effective represen tative organization. As such, as stated in the Guidelines, the code owner should be capable of understanding the needs of their members and define the processing activity or sector to which the code is intended to apply. 5 11. Recital 99 GDPR advises to consult during the process of drawing up a Code of Conduct with relevant stakeholders. A group of representatives from European and multinational cloud providers and customers, technical and legal experts, public administrations and others 6 , de veloped a first foundation of the Code and safeguarded the involvement of different stakeholders and interest groups from early on. The Code was handed over to the EU Cloud Code General Assembly in February 2017. 12. The EU Cloud Code represents several organ izations including cloud service providers and associations representing cloud service providers which constitute the General Assembly of the EU Cloud Code. 13. The code owner has demonstrated in the draft code that it is an effective representative body, capa ble of understand ing the needs of their members. 2.1.3 Processing Scope 14. The main objective of the EU Cloud Code is to concretize the legal requirements of Art. 28 GDPR and the relevant related articles of the GDPR . The EU Cloud Code is intended to address all service types of the cloud market (e.g. IaaS, PaaS, SaaS) and creates a “baseline for implementation of GDPR” for these services. Its purpose is to provide practical guidance and define specific requirements for the cloud service providers (“CSPs”). 15. The E U Cloud Code only applies to cloud services where the CSP is acting as a processor. It therefore does not apply to “business to consumer” (B2C) services or for any processing activities for which the CSP may act as a data controller. However, the C ode is a lso relevant for consumers who will get 4 See Appendix 2 to the Guidelines. 5 See para 22 of the Guidelines. 6 CSIG – Cloud Sel e ct Industry G roup - https://ec.europa.eu/digital - single - market/en/news/cloud - select - industry - group - csig - plenary - meeting . 6 Adopted additional guarantees of compliance when entrusting with their personal data a company which uses a processor which adheres to the C ode. 7 2.1.4 Territorial scope 16. The scope of the EU Cloud Code is transnational and is intended to apply across the EEA , as per A rticle 40 (7) GDPR . Scope Europe has identified all European Union and European Economic Area supervisory authorities as concerned SAs. 2.2 The code of conduct f acilitate s the effective application of the GDPR 17. T he E DPB Guidelines precise that Codes will need to specify the practical application of the GDPR and accurately reflect the nature of the processing activity or sector. They should be able to provide clear industry specific improvements in terms of compliance with data protection law . A code shall not just re - state the GDPR. Instead, it should aim to codify how compliance with the GDPR can be achieved in a specific, practical and precise manner . 8 Furthermore, the code has to provide sufficient appropriate safeg uards to mitigate the risk around data processing and the right and freedoms of individuals. 9 18. The EU Cloud Code contains both strict requirements particularizing the provisions of the GDPR mentioned in the “ Processing Scope ” section of the present Opinion and good practices currently followed by the sector. The Code aims to create comparability between different data processing practices in the cloud industry and improves upon the state of the art for data protection in this sector . 2.2.1 T he code a s a practical tool 19. The EU Cloud Code aims for all service types of the cloud market (e.g. IaaS, PaaS, SaaS) to concretize the legal requirements of Art. 28 GDPR and the relevant related articles of the GDPR . The C ode describes the rights and obligations of adhering CSP s on key principles of GDPR such as purpose limitations, data subject rights, transfers, security, auditing, liability, etc. 2.2.2 M atrix of requirement s 20. The Code consists of a set of requirements that CSPs have to implement to comply with the Code. 21. Those requi rements are supported by a “controls catalogue” helping to assess compliance with the requirements of the Code. The “controls catalogue” maps the requirements of the Code to auditable elements (“controls”), and also maps requirements of the Code to corresp onding provisions of the GDPR and relevant international standards, thus facilitating its application and interpretation and enabling implementation, monitoring and where required auditing. 22. The “controls” are to be read in conjunction with the “control gu idance” which give advice on how to implement the “controls”. 7 It shall be noted, that the adherence of a processor to the Code of Conduct does not entail an automatic recognition of compliance of the processing carried out by such processor nor waives the responsibility of the controller to ensure compliance for all the processing operations carried out on its behalf. In this particular case, the EDPB recalls that the Code of Conduct won’t apply to all the processing operations carried out on behalf of the controller, but only to the elements of Article 28 GDPR and r elated relevant articles . In addition, it shall be recalled that, in this case, the monitoring of the EU Cloud Code of Conduct is based on a service - level approach. Thus, members of the Code are not expected to adhere to the Code with regard to all the ele ments of all their processing activities, but they can declare which of their services are to be considered compliant with the Code. 8 Para 36 - 37 of the Guidelines . 9 Para 39 of the Guidelines . 7 Adopted 23. The Code develops requirements which are unambiguous, concrete, attainable and enforceable. All the requirements are consolidated in a control framework, which ensures transparency for all Code ’s members and data subjects. The EDPB welcomes the use of this kind of tool. 2.2.3 B inding nature of the Code 24. All provisions of the Code and the “controls catalogue” are binding, wherever the provisi ons make use of “shall”, “must” . Some provisions should be re garded as guidance, setting examples of good practices and are denoted by the use of the terms “should” or “may”. 2.2.4 The Code provides sufficient safeguards and added value 25. In line with the Guidelines 10 , a code of conduct must provide sufficient safeguards wh ile being adequately focused on particular data protection areas and issues in the specific sector to which it applies (“added value”). The EU Cloud Code provides sufficient safeguards by , for instance adopting the same terminology as the one used in the G DPR (Code, section 2) and providing complaint mechanism to data subjects (Code, s ection 7.8.2 ) . In terms of added value, the C ode provides guidance adapted to the sector on , among others, security measures, auditing requirements, data subject rights and tr ansparency requirement . 2.2.5 The Code as an accountability tool 26. The objective of the EU Cloud Code is to help CSPs to demonstrate compliance with A rticle 28 GDPR and make it easier and more transparent for customers to analyze whether cloud services are appropriate for their use case in line with A rticle 28.1 GDPR , which provides that controllers shall use only processors providing sufficient guarant ees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject , and A rticle 28.5 GDPR which states that the adherence of a processor to an approved code of conduct may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of A rticle 28 GDPR. 2.3 The code of conduct provides effective mechanisms for monitoring compliance with a code 27. A s per Article 40(4) of the GDPR and the Guidelines , 11 a code requires the implementation of suitable mechanisms to ensure that its rules are appropriately monitored and that efficient and meaningful enforcement measures are put in place to ensure f ull compliance. A code specifically needs to identify and propose structures and procedures which provide for effective monitoring and enforcement of infringements 2.3.1 A dherence to the Code 28. T he code has to detail an adhesion mechanism. 29. A n effective adhesion mechanism has to develop a process divided on three phases which coincide with the code of conduct “li fetime”. During the first phase , t h e mechanism must precise that the code member s must comply with all the Code requirements and that the monitoring body will assess the eligibility of candidate to the code. In a second phase, the mechanism shall describe how that monitoring is carried out on an ongoing basis and in a third phase on ad hoc basis. 12 T he EU Cloud Code develops an adhesion mechanism which fulfills the three phases of monitoring. 10 Para 3 6 of the Guidelines . 11 See para 40 of the Guidelines . 12 See para 70 of the Guidelines . 8 Adopted 2.3.2 The monitoring of the Code 30. The Guidelines indicate that a code will need to identify an appropriate body which has at its disposal mechanisms to enable that body to provide for the effective monitor ing of compliance with the code . 13 As per Article 41 (1) GDPR, T he monitoring body identified by the Code has to be accredited by the CompSA 14 . Consequently, the CompSA will act as a single point of contact with the code owner and the monitoring body. 31. The EU Cloud Code has appointed “Scope Europe ” as monitoring body in accordance with A rticle 41 of the GDPR. This monitoring body will be in charge of ensuring compliance of the members of the Code with the provisions of the EU Cloud Code and taking actions incl uding sanctions in case of infringement to the provisions of the EU Cloud Code . Decisions taken by the monitoring body relating to its monitoring function (for instance regarding the interpretation of the Code’s rules) shall not be submitted to another ent ity for approval. Indeed, the monitoring body has to be independent in its mission. 32. The EDPB acknowledge s that the EU Cloud Code contains a mechanism which enable s the monitoring body to carry out its monitoring functions, as per article 40 (4) of the GDPR. 33. Finally, the EDPB recalls that the code of conduct will not be operational before the designated monitoring body is accredited 2.3.3 S anction s 34. In accordance with article 40 (4) of the GDPR and the Guidelines, w ithout prejudice to the tasks and powers of the competent supervisory authority, the monitoring body designated by the code owner shall, subject to appropriate safeguards, take appropriate action in case s of infringement of the code by a controller or processor . Those sanctions range from non - public but formal reprimand to temporary or permanent revocation from the Code . The monitoring body commits to inform the competent supervisory authority about any r elated actions taken ( Code, section 7.9). 35. To ensure transparency to code members, the code shall include a list of corrective measures which must be applied by the monitoring body . For this purpose, t he EU Cloud Code dev elops an enforcement framework which determines the appropriate sanction to be followed by the monitoring body ( Code, section 7.9). 2.3.4 T he re v iew of the code 36. A s per A rticle 40 (2) of the GDPR and the Guidelines, the code sets out an appropriate review mechanism to ensure that the code re mains relevant to legal and technical standard s. In particular, s ection 8.2 of the EU Cloud Code provides that a regular review of the Code to reflect legal, technological or operational changes and best practices shall take place when appropriate . 13 See p ara 40 of the Guidelines . 14 In accordance with the consistency mechanism referred to in Article 63 of the GDPR, the EDPB adopted an Opinion 2 /2020 on the Belgium data protection supervisory authority draft accredit ation requirements for a code of conduct monitoring body pursuant to article 41GDP on 28 January 2020 . Th e monitoring body designated by the code owner of the EU Cloud Code will have to be accredited by the Belgian SA and therefore will have to demonstrate that it fulfills the requirements imposed by article 41 of the GDPR. 9 Adopted 3 CONCLU SIONS / RECOMMENDATI ONS 37. By way of conclusion, the EDPB considers that the draft code complies with the GDPR, since the EU Cloud Code fulfills the requirement s imposed by Article 40 and 41 GDPR . 38. Finally, the EDPB also recalls the provisions contained within A rticle 4 0 (5) GDPR, i n case of amendment or extension of the EU Cloud Code , the CompSA will have to submit the modified version to the EDPB in accordance with the procedures outline d in the G u idelines approved by the EDPB. 4 FINAL REMARKS 39. This opinion is addressed to the BE SA and will be made public pursuant to A rticle 64(5 )( b) GDPR. 40. According to Article 64 (7) and (8) GDPR, BE SA shall communicate its response to this opinion to the Chair withi n two weeks after receiving the opinion . 41. Pursuant to A rticle 70(1)(y) GDPR, the BE SA shall communicate the final decision to the EDPB for inclusion in the register of decisions which have been subject to the consistency mechanism. 42. As per Article 40 (8) GDPR, the Board shall submit this opinion to the European Commission. For the European Data Protection Board The Chair (Andrea Jelinek)

Similar Content