EU Cloud Code of Conduct

EU Cloud Code of Conduct overview

The EU Cloud Code of Conduct (EU Cloud CoC), authored by SCOPE Europe, serves as the basis for implementing the GDPR Article 28 requirements for cloud providers acting as business-to-business processors under the GDPR. The European Data Protection Board (EDPB) has provided positive opinion for the EU Cloud CoC with final approval led by the Belgian Data Protection Authority.

Azure and EU Cloud CoC

Microsoft submitted to SCOPE Europe the Azure attestation of adherence to the EU Cloud CoC. In doing so, Microsoft relied on independent third-party audits that produce well-established certifications, which are foundational to Azure security and compliance:

An independent review by SCOPE Europe has demonstrated that Azure meets the EU Cloud CoC second level of compliance.

Applicability

  • Azure

Services in scope

The list of Azure services in scope can be found within the EU Cloud CoC Verification of Declaration of Adherence report, as referenced in the next section.

Audit reports and certificates

The Microsoft Azure EU Cloud CoC Verification of Declaration of Adherence report is available directly from the EU Cloud CoC list of adherent services (Verification ID: 2021LVL02SCOPE116).

Frequently asked questions

Why do GDPR codes of conduct matter?
Article 40 of the GDPR encourages the use of codes of conduct: The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small, and medium-sized enterprises.

Does adhering to the EU Cloud CoC mean my organization is GDPR compliant?
No. While the EU Cloud CoC can help your organization comply with the GDPR, you are responsible for engaging an assessor to evaluate your implementation for compliance, including the controls and processes within your own organization.

Can I use the Azure EU Cloud CoC as part of my organization’s GDPR compliance process?
Yes. If your business is seeking to document compliance with the GDPR, you can use the relevant Azure adherence in your compliance assessment. Because the EU Cloud CoC is approved by the EDPB, Azure customers can use Azure’s adherence to help demonstrate their own GDPR compliance, and cite it as a risk mitigating measure in a GDPR Data Protection Impact Assessment (DPIA).

Resources