CISPE, the industry association of cloud infrastructure service providers in Europe, has issued its first data protection certificates to Aruba, AWS, Elogic, Leaseweb, Outscale and OVHCloud.

The CISPE code (the 'Code of Conduct for Data Protection') was validated by the European Data Protection Board (EDPB) and approved by the French Data Protection Authority (CNIL). It is the first code of conduct specifically designed for cloud infrastructure providers under the European General Data Protection Regulation (GDPR).

Independent monitoring

Bureau Veritas, LNE and EY CertifyPoint are three independent monitoring organizations accredited by the CNIL, and all services must be verified by one of them. Cloud infrastructure customers benefit from the controlled adherence of independent monitoring bodies when developing GDPR compliant services.

“Our members are focused on helping organisations of all types to build and deliver cloud-based applications and services with confidence in their data protection credentials,” said Alban Schmutz, chairman of CISPE. “Our work in defining the CISPE code provides an enhanced level of GDPR assurance to any customers, from SMEs to major corporations, using CISPE Code Compliant services.”

Automated compliance

This code of conduct plays an important role within the Gaia-X project. GAIA-X is a proposal for the next generation of data infrastructure: an open, transparent and secure digital ecosystem, where data and services can be made available, collated and shared in an environment of trust. This project aims to develop digital transparency and trust through automated compliance. Together with Gaia-X's CTO office, CISPE developed a data protection code of conduct that establishes verifiable credentials according to the W3C standard. As a result, Gaia-X can automatically verify compliance with data protection and data location provisions.

Photo credit: Markus Spiske