EU Cloud Code of Conduct
EU Cloud Code of Conduct overview
The EU Cloud Code of Conduct (EU Cloud CoC), authored by SCOPE Europe, serves as the basis for implementing the GDPR Article 28 requirements for cloud providers acting as business-to-business processors under the GDPR. The European Data Protection Board (EDPB) has provided positive opinion for the EU Cloud CoC with final approval led by the Belgian Data Protection Authority.
Azure and EU Cloud CoC
Microsoft submitted to SCOPE Europe the Azure attestation of adherence to the EU Cloud CoC. In doing so, Microsoft relied on independent third-party audits that produce well-established certifications, which are foundational to Azure security and compliance:
- ISO/IEC 27001 – Information Security Management System
- ISO/IEC 27701 – Privacy Information Management System
- ISO/IEC 27018 – Cloud Privacy
An independent review by SCOPE Europe has demonstrated that Azure meets the EU Cloud CoC second level of compliance.
Applicability
- Azure
Services in scope
The list of Azure services in scope can be found within the EU Cloud CoC Verification of Declaration of Adherence report, as referenced in the next section.
Audit reports and certificates
The Microsoft Azure EU Cloud CoC Verification of Declaration of Adherence report is available directly from the EU Cloud CoC list of adherent services (Verification ID: 2021LVL02SCOPE116).
Frequently asked questions
Why do GDPR codes of conduct matter?
Article 40 of the GDPR encourages the use of codes of conduct: The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small, and medium-sized enterprises.
Does adhering to the EU Cloud CoC mean my organization is GDPR compliant?
No. While the EU Cloud CoC can help your organization comply with the GDPR, you are responsible for engaging an assessor to evaluate your implementation for compliance, including the controls and processes within your own organization.
Can I use the Azure EU Cloud CoC as part of my organization’s GDPR compliance process?
Yes. If your business is seeking to document compliance with the GDPR, you can use the relevant Azure adherence in your compliance assessment. Because the EU Cloud CoC is approved by the EDPB, Azure customers can use Azure’s adherence to help demonstrate their own GDPR compliance, and cite it as a risk mitigating measure in a GDPR Data Protection Impact Assessment (DPIA).
Resources
- Azure compliance documentation
- Azure enables a world of compliance
- Compliance on the Microsoft Trust Center
- Microsoft Product Terms (formerly Online Services Terms)
- Microsoft Products and Services Data Protection Addendum (DPA)
- Service Trust Portal audit reports
- EU Cloud Code of Conduct
- SCOPE Europe