The CNIL approves the first European code of conduct for cloud infrastructure service providers (IaaS)

11 June 2021

This code, submitted by Cloud Infrastructure Service Providers Europe (CISPE), is focused on cloud infrastructure service providers in the European Union. It brings an operational dimension to European and national data protection principles.

What is a code of conduct?

A code of conduct is an instrument of the GDPR to help professionals in meeting their operational compliance needs. In particular, it contributes to demonstrate compliance with the GDPR and sends a positive signal to customers and professionals of the concerned sector of activity.

A GDPR code of conduct is binding on those who adhere to it. It requires its members to comply with the rules enshrined in the code and to accept that a third party monitors its correct application (except for the codes of conduct applying to public bodies).

In order to assist professionals, the CNIL offers practical guidance to help them understand and submit a national or European code.

The first European code of conduct approved by the CNIL

Cloud Infrastructure Service Providers Europe is the European association of Cloud Infrastructure Service Providers that has taken the initiative to develop this first European code of conduct specifically dedicated to this category of contractors ("Infrastructure as a Service" or "IaaS").

A code of conduct is a compliance instruments: it helps members to demonstrate that they meet the requirements of Article 28 of the GDPR, which requires data controllers to use only contractors who provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures. Adherence to this code of conduct may serve as a means to demonstrate the existence of these asfeguards.

Moreover, the code of conduct supported by CISPE will facilitate compliance in this sector of activity: it provides both a methodology and practical solutions to the problems identified by the concerned professionals. It thus gives an operational dimension to data protection principles set out in national and European law. It also provides a detailed description of all good practices in the sector.

As a vector of legal certainty, the code of conduct helps to create a climate of trust.

The role of the CNIL

Throughout the development of its project, the code owner benefited from advice and an in-depth analysis of both the conditions for admissibility and the compliance of the code's content with the requirements of the GDPR.

The CNIL also acted as an intermediary between the other data protection authority and the code owner during the European cooperation phase.

Codes of conduct are new instruments of the GDPR. They provide simple and concrete answers to those who are not legal experts, with a view to harmonizing sectorial practices and enhance collective maturity. Organisations wishing to develop such a project can count on the support of the CNIL, which has set up a dedicated department to assist them.

Marie-Laure DENIS, chair of the CNIL

What does the code of conduct contain?

The code of conduct is divided into five parts:

  • a first part that specifies the geographical and material scope of the code of conduct (in which countries it applies and what it covers);
  • a second part which develops the data protection requirements;
  • a third part that addresses the requirements for transparency of security measures;
  • a fourth part which specifies the modalities for adherence to the code of conduct;
  • a fifth part which sets out the governance of the code of conduct.

Each part provides practical explanations of the issues faced by the industry and provides concrete examples to help code members understand their data protection obligations.

In addition, the code of conduct includes several annexes, including

  • an appendix listing technical and organisational good practices in terms of security;
  • an annex listing the compliance criteria and  several recommendations explaining how they should be documented;
  • a model declaration of adherence;
  • a model for notification of a data breach.

This code of conduct is not intended to regulate data transfers outside the European Union. It contains a reminder of the obligations of organisations in this respect. In addition, it provides that members of the code must offer their customers the possibility to store and process their data exclusively within the European Economic Area.

Read more: transfering data outside the EU and invalidation of the “Privacy Shield”: the first answers of the EDPB to the frequently asked questions

How is the proper application of the code of conduct monitored?

The effectiveness of the code of conduct is ensured by the intervention of a body in charge of monitoring the proper application of the code and which will be accredited by the competent supervisory authority. This is a control mechanism designed by CISPE and is linked to the governance of the code. It is not to be confused with the inspection missions of the CNIL.

The code of conduct supported by CISPE identifies several bodies responsible for monitoring the proper application of the code of conduct by its members.  All these bodies may only carry out their monitoring mission after having submitted an application for accreditation to the CNIL. If the requirements of the accreditation guidelines are met, accreditation will then be granted by the CNIL.

In practice, the CISPE code of conduct will be operational as soon as one of these monitoring bodies is accredited by the CNIL.


Adherence to a code of conduct does not mean compliance with the GDPR. Indeed, the approval of the code of conduct by the CNIL is without prejudice of the application that will be made in practice by the members.