Frequently Asked Questions

CISPE Code of Conduct, May 2021

What is the CISPE Data Protection Code of Conduct?

  • CISPE’s Code of Conduct for data protection supports the enforcement of the European Union’s General Data Protection Regulation (GDPR), specifically in fair and transparent data processing and protection.
  • The CISPE code describes best practice and sets out practical guidance in fair and transparent data processing and protection for cloud infrastructure service providers.
  • It allows cloud infrastructure service providers to raise the bar in data protection and, crucially, provide transparency to their customers by clearly defining the role, responsibilities and boundaries for both providers and customers for shared data protection duties.
  • In general, Codes of Conduct are regulated sector-specific guidelines drawn up by trade associations or representative bodies to help the application of the GDPR and operationalise data protection.
  • Declaring that a service adhering to a Code of Conduct provides assurance that that service supports relevant data protection requirements as described in the Code.
  • All Codes of Conduct must be approved by one data protection authority acting on behalf of the 27 other Authorities after a formal opinion from EDPB. On May 19, 2021, the EDPB and all national data protection authorities in Europe gave their greenlight to the CISPE Code of Conduct.
  • The French Data Protection Authority (CNIL) will formally adopt the ISPE CISPE Code of Conduct in June 2021.

Why is it important?

  • Growth, recovery and the creation of a vibrant digital economy in Europe all depend on trusted, safe and secure cloud environments. Data protection must be at the heart of the cloud.
  • Data protection must be assured at every level of the cloud. GDPR-compliant cloud services (including software-as-a-service SaaS, and consumer-facing apps) cannot be built if the GDPR compliance of the infrastructure services upon which they rely are not compliant.
  • The CISPE code specifically provides a practical framework with the objective of declaring GDPR- compliant infrastructure (IaaS) services. This will provide thousands of businesses across all sectors and of all sies with the confidence to build in the cloud using IaaS services declaring compliance with the CISPE Code of Conduct.

Who will use it and benefit from it?

  • The CISPE Code of Conduct is intended for those offering cloud infrastructure services. These are the businesses that provide the fundamental foundations of the cloud.
  • They will benefit from a clear approach to understanding how specific infrastructure services will comply with relevant GDPR aspects specified in the Code and will be able to declare individual services as conforming to the CISPE Code of Conduct.
  • These declarations will be certified and monitored by independent bodies accredited by the relevant Data Protection Authority to provide high levels of assurance and trust.
  • Customers of cloud infrastructure providers will be able to choose services which they know are compliant with the relevant aspects of GDPR as specified in the Code.
  • These customers, therefore, are also beneficiaries of the CISPE Code of Conduct as it provides a registry of declared services offering them choice of the IaaS services which better fit their data protection needs and control over how their customers’ data is processed.

Why declare a service under the CISPE Data Protection Code of Conduct?

The CISPE Code of Conduct offers three key aspects of specific value to cloud infrastructure vendors and their customers: Focus, Independence and choice over sovereignty.


  • The CISPE Code of Conduct is the first, and so far only, Code specifically written for cloud infrastructure providers.
  • By selecting CISPE Data Protection Code of Conduct declared services, IaaS customers are assured that they are using services that adhere to a Code specifically designed to help GDPR compliance of the cloud infrastructure. It creates the solid data protection foundations for the online services they wish to develop for their end-users.
  • The CISPE Code creates confidence that a certified IaaS service respects a framework which aids compliance with GDPR, as well as that declared services will never access, or use for their own purposes, any customer data collected.
  • Detailed understanding of the implications of data protection for cloud infrastructure services is needed to provide the assurance that vendors and customers require.


  • The value of declaring services is enhanced in the CISPE Code of Conduct by the complete independence of the Monitoring Bodies.
  • Those declaring services under the CISPE Code of Conduct will have a choice of several established monitoring bodies with international credibility and reputations for independence.
  • Prospective monitoring bodies which must be certified by the CNIL, include EY CertifyPoint, Bureau Veritas, Bird & Bird and LNE.


  • While not required for GDPR compliance, many European businesses and customers want to retain sovereignty over their data by ensuring that it remains within the EU.
  • The CISPE code gives IaaS customers explicit options to select services that enable data to be processed entirely within the European Economic Area.
  • The CISPE code also promotes data protection best practices core to the EU’s GAIA-X initiative to develop European cloud data services.