The new CISPE Code of Conduct for cloud provider: which impacts for Italian data controllers and processors?

The CISPE Code, validated by the EDPB and approved by the French Data Protection Authority (CNIL), is the first Code of Conduct specifically designed for cloud infrastructure service providers (IaaS) and was recently adopted by several industry players such as Aruba, AWS (Amazon Web Service) and OVH Cloud.

The main purpose of the CISPE Code is to help organisations across Europe to accelerate the development of GDPR compliant cloud-based services, offering greater levels of compliance with data protection obligations.

The Codes of Conduct are self-regulatory tools provided for by art. 40 of the GDPR and represent important frameworks for "voluntary accountability".

In fact, Codes of Conduct are tools for specific industry that establish additional and specific data protection standards (beyond those set forth in the GDPR) in order to assure better compliance to the GDPR regulation. It is important to clarify that the provisions contained in Codes of Conduct are not binding and can only be used as guidelines for data controllers and processors in their vendor privacy assessment activities.

The purpose of the CISPE Code is to help CISPs to demonstrate compliance with article 28 GDPR and make it easier and more transparent for data controllers to analyze and assess whether cloud services are suitable for the processing of personal data that they wish to perform.

From this standpoint, the approved Code constitutes a valid industry standard for IaaS services, offering for Italian companies a higher standard in assessing cloud providers. 

In line with the obligations set forth in Article 28 of the GDPR, the CISPE Code provides a set of requirements for CISPs as data processors that include: i) appropriate technical security measures and; ii) transparency requirements, aimed to ensure better compliance with GDPR rights and obligations such as purpose limitation, data subject rights, data breach obligations, security, audit, and accountability profiles.

The CISPE Code could therefore help Italian data controller to demonstrate that a CISP has implemented the appropriate technical and organizational measures required as a data processor.

In addition, some of the main features introduced by CISPE Code - not contemplated by the GDPR- are that the Code-compliant CISP shall:

It’s well known that many European and Italian companies want to retain better control over their data by ensuring that it remains within the EU. In fact, an issue that is always very challenging for Italian and European companies that want to grow their business, is deciding or not to transfer data outside the EU.

Due to the high cost of time, resources and burdens faced by companies that decide to transfer data outside the EU (such as drafting DTIAs, SCCs and other agreements with data processors and cloud providers) it is increasingly common for Italian companies to seek alternative solutions that do not involve extra-UE data transfer but still ensure high performance standards.

The CISPE Code of Conduct gives Italian companies explicit options to select services that allow data to be processed entirely within the European Economic Area, increasing the level of compliance that companies seek when deciding to enter into a contract with cloud providers.

However, since the CISPE Code does not impose any obligation on cloud provider to comply with it and, furthermore, since within an IaaS environment data protection compliance is a shared responsibility between data controller and CISPs, it’s important to clarify that the Code does not replace a proper privacy assessment of the cloud provider. 

The Code is not legal advice and the adherence to the Code will not guarantee a CISP’s compliance with applicable local law. In fact, when using any cloud infrastructure service, data controllers are strongly recommended to complete their own assessment, based on their specific processing activities and applicable local laws, including privacy regulations.

In conclusion, the new CISPE Code will make it easier for many Italian companies to carry out privacy assessments of cloud providers, particularly with regard to the issue of non-EU data transfer. However, since the CISPE Code has a transnational scope and is intended to apply throughout the EEA, it will always be appropriate to assess the privacy compliance of the cloud provider with the relevant Italian national law.

The aim of the CISPE Code is to help data controllers/data processors to choose the right cloud infrastructure and to assist companies in such privacy assessments, but can never replace them.