European Regulators Green Light Pioneering GDPR Compliance Code for Cloud Infrastructure

Download: as Word file
Also see: Approved Quotes from key supporters regarding the CISPE Data Protection Code of Conduct

Brussels, 20th May 2021Today, the European Data Protection Board (EDPB) comprised of all the European Data Protection Authorities (DPA) provided a favourable opinion that the CISPE Data Protection Code of Conduct complies with the General Data Protection Regulation(GDPR). Submitted by French DPA, CNIL, the CISPE Code is the first pan-European sector-specific code for cloud infrastructure service providers to reach this stage.

CISPE’s pioneering code helps organisations across Europe accelerate the development of GDPR compliant cloud-based services for consumers, businesses, and institutions. By selecting declared CISPE code-compliant services, IaaS customers are assured of trustworthy cloud infrastructures that adhere to data handling and storage practices in strict compliance with GDPR.

“GDPR was a welcome development, and the CISPE code brings clarity to its data protection requirements for cloud infrastructure providers,” says Alban Schmutz, President of CISPE (Cloud Infrastructure Service Providers in Europe), the industry association behind the code.

“The CISPE Data Protection Code of Conduct gives cloud service providers an approved framework to demonstrate full compliance of their certified cloud services, providing concrete examples of what they and their customers are expected to do to protect data under GDPR rules.”

CISPE’s Code of Conduct is unique in three important ways. It is the first, and currently only, code to focus exclusively on the Infrastructure-as-a-Service (IaaS) sector and address the specific roles and responsibilities of IaaS providers not represented in more general codes. The CISPE Code of Conduct creates confidence and trust amongst customers and their end users that a declared IaaS service is compliant with GDPR. It also assures them that cloud infrastructure service providers will only access or use customer data to maintain or provide the service and will not use customer data for marketing or advertising purposes.

While not required for GDPR compliance, many European businesses want to retain sovereignty over their data by ensuring that it remains within the EU. Uniquely, the CISPE Code of Conduct gives IaaS customers explicit options to select services that enable data to be processed entirely within the European Economic Area. As such the CISPE Code of Conduct also promotes data protection best practices which support the EU’s GAIA-X initiative to develop European cloud data services.

Compliance with the CISPE Code of Conduct is verified by independent, external auditors accredited by the relevant Data Protection Authority. Acting as “Monitoring Bodies” these strengthen the level of assurance provided by services certified under the code.The CISPE Code of Conduct offers a diverse portfolio of independent monitoring bodies allowing for a broad range of services and price points to suit the diversity of businesses in the burgeoning cloud infrastructure sector. GDPR compliance can be complex and expensive, especially for SMEs and start-ups. These organisations often rely heavily on IaaS and will widely benefit from the ease of use and cost-effectiveness of the CISPE Code of Conduct.

“CISPE was the first organisation in any industry to engage and work hand-in-hand with the regulator and EU institutions to define a code that goes beyond GDPR requirements to protect the interests of infrastructure providers, their customers, and end-users,” added Schmutz.

“The use of cloud infrastructure has become key for any business or public administration that wants to undergo digital transformation. It is crucial that their data is handled securely and in compliance with the GDPR,” commented MEP Eva Maydell. “This is why, since day one, I supported the CISPE Code of Conduct and I am very glad to see today that their consistent efforts pay off.”

Cloud service providers (CSPs) which adopt the CISPE Code of Conduct benefit from practical and operational guidance as well as being bound by a set of enforceable rules that ensure GDPR compliance for their services.

Final formal approval of the code will be given by the competent authority (the CNIL).


Additional quotes from  Cloud Infrastructure Providers, their customers and other stakeholders including prospective Monitoring Bodies are included in an appendix

The CISPE Data Protection Code of Conduct

CISPE’s Data Protection Code of Conduct for data protection supports the enforcement of the European Union’s General Data Protection Regulation (GDPR), specifically in data protection. The CISPE code describes best practice and sets out practical guidance so cloud infrastructure service providers can raise the bar in data protection and, crucially, provide transparency to their customers by clearly defining the role, responsibilities and boundaries for both providers and customer. Learn more at

What are codes of conduct?

Codes of conduct are regulated sector-specific guidelines drawn up by trade associations or representative bodies and taking into account the specific features of the various sectors and activities involved, as well as the particular needs of different sized businesses including micro, and small and medium-sized enterprises. Adhering to a Code of Conduct provides organizations across Europe with the ability to better operationalise data protection and demonstrate compliance with GDPR. Codes of conduct are approved by one data protection authority acting on behalf of the 27 other Authorities after a formal opinion from EDPB.

About CISPE: CISPE  is an association of cloud infrastructure service providers in Europe. CISPE has 34 members with global headquarters in 14 EU Member States. CISPE has developed the first GDPR code of conduct which encourages the storage and processing of personal data exclusively in Europe. Since 2017, with EuroCIO and then with CIGREF, CISPE has co-chaired the working group developing industry Codes of Conducts which facilitate and enable data portability. This was established by the European Commission within the framework of EU Regulations on the Free Flow of non-personal Data. In addition, CISPE is among the 22 founding members of the GAIA-X initiative and the convener of the Climate Neutral Data Centre Pact.

Contact: For all questions and to speak to CISPE or one of its member companies, please contact us here:  Tel +32 2 502 65 80