The EU Data Protection Code of Conduct for Cloud Service Providers

21 settembre 2021

The EDPB adopted Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe.

The main objective of the EU Cloud Code is to concretize the legal requirements of Art. 28 GDPR and the relevant related articles of the GDPR. The EU Cloud Code is intended to address all service types of the cloud market (e.g. IaaS, PaaS, SaaS) and creates a “baseline for implementation of GDPR” for these services. Its purpose is to provide practical guidance and define specific requirements for the cloud service providers (“CSPs”). 

As known, Cloud computing consists of a set of technologies and service models that focus on the Internet-based use and delivery of IT applications, processing capability, storage, and memory space. 

The term "cloud computing" covers a variety of very distinct service provision models such as Cloud Infrastructure as a Service Cloud (“IaaS”), Cloud Software as a Service (“SaaS”), and Cloud Platform as a Service (“PaaS”). The term “IaaS” describes a situation in which a provider leases a technological infrastructure, i.e. virtual remote servers the end-user can rely upon in accordance with mechanisms and arrangements such as to make it simple, effective as well as beneficial to replace the corporate IT systems at the company’s premises and/or use the leased infrastructure alongside the corporate systems. When providing “SaaS”, a provider delivers, via the web, various application services and makes them available to end-users. These services are often meant to replace conventional applications to be installed by users on their local systems; accordingly, users are ultimately meant to outsource their data to the individual provider. When providing “PaaS”, a provider offers solutions for the advanced development and hosting of applications. These services are usually addressed to market players that use them to develop and host proprietary application-based solutions to meet in-house requirements and/or to provide services to third parties. 

The EU Cloud Code only applies to cloud services where the CSP is acting as a processor. It, therefore, does not apply to “business to consumer” (B2C) services or for any processing activities for which the CSP may act as a data controller. However, the Code is also relevant for consumers who will get additional guarantees of compliance when entrusting with their personal data a company that uses a processor which adheres to the Code .

Archivio news

 

News dello studio

giu23

23/06/2025

Cyberbullismo

Pubblicata in Gazzetta Ufficiale la Legge 17/05/2024, n. 70,Disposizioni e delega al Governo in materia di prevenzione e contrasto del bullismo e del cyberbullismo (Pubblicata nella Gazz. Uff. 30 maggio

giu23

23/06/2025

L'estate e la tutela degli animali

Pubblicata in Gazzetta Ufficiale la legge 82/2025 recante Modifiche al codice penale, al codice di procedura penale e altre disposizioni per l'integrazione e l'armonizzazione della disciplina in materia

giu23

23/06/2025

Disciplina del D.Lgs. 231/2001 e società di capitali unipersonali

Con ricorso alla Corte di Cassazione veniva impugnata lasentenza del 22/4/2024 della Corte d'Appello di Trieste, in riforma della sentenza del Tribunale di Gorizia del 13/4/2022, denunciando inter alia

News Giuridiche

lug5

05/07/2025

RC Professionale Avvocati, nuova convenzione CNF dal 1° giugno 2025

L'iniziativa risponde alle mutate esigenze

lug4

04/07/2025

Monopattini elettrici: targa obbligatoria, multe fino a 400 euro

Il Ministero Infrastrutture e Trasporti

lug4

04/07/2025

La trasparenza amministrativa nell’ordinamento italiano

Dal modello settoriale a quello sistemico.