New compliance mark establishes data protection standards and practices to protect customer data and comply with European law
Brussels, 14th February 2017. The Cloud Infrastructure Services Providers in Europe (CISPE), a coalition of cloud computing leaders serving millions of European customers have declared that over 30 services comply with the CISPE Data Protection Code of Conduct. Cloud infrastructure services declared today are operated in datacenters located in the following European countries: Bulgaria, Finland, France, Germany, Ireland, Italy, The Netherlands, Spain, and The United Kingdom.
The purpose of the CISPE Code of Conduct is to help cloud customers ensure that their cloud infrastructure provider is using appropriate data protection standards to protect their data consistent with Europe’s current Data Protection Directive and the General Data Protection Regulation ('GDPR') that will come into force in May 2018. Cloud providers adhering to the Code must give customers the choice to store and process their data entirely within the European Economic Area. Providers must also commit that they will not access or use their customers' data for their own purposes, including, in particular, for the purposes of data mining, profiling or direct marketing.
All cloud infrastructure services that comply with the CISPE Data Protection Code of Conduct are available on the CISPE Public Register: www.cispe.cloud/PublicRegister and will be easily recognized with the following compliance mark.
Companies declaring compliance with the CISPE Code of Conduct requirements represent a group of leading cloud infrastructure providers operating in Europe: 1&1, Amazon Web Services (AWS), Aruba, DADA, Daticum, Gigas Hosting, Ikoula, LeaseWeb, Outscale, OVH, Seeweb, SolidHost and UpCloud, with more to be announced soon. CISPE is currently reviewing the declarations it has received and will update the CISPE Public Register in due course.
The CISPE Data Protection Code of Conduct provides a data protection compliance framework that makes it easier for customers to assess whether cloud infrastructure services being offered by a particular provider are suitable for the processing of personal data they wish to perform and for them to comply with their current obligations and those coming under the GDPR. Its purpose is to facilitate the proper application of the new European rules on data protection from the GDPR. CISPE members share the GDPR’s objectives of strengthening citizens’ fundamental rights in the digital age and are therefore proactively outlining best practices ahead of the GDPR coming into force next year.
Alban Schmutz, Chairman of CISPE and OVH Vice-President, says: “Today marks a major step forward for Data Protection in Europe. Any customer will know that if their Cloud Infrastructure Provider is complying with the CISPE Code of Conduct, their data will be protected to clear standards. CISPE Code of Conduct provides Europeans with the confidence that their information will not be used for anything other than what they stipulate. The CISPE compliance mark clearly addresses this, providing consistency across Europe, what European customers call for.”
“The CISPE Data Protection Code of Conduct is a responsible joint undertaking from representatives of a key economic enabler for Europe, the cloud infrastructure services industry, to anticipate the application of the GDPR” said Michal Boni, Member of the European Parliament. “It is crucial and important that cloud services must offer security and reliability commensurate to the increased risks flowing from the concentration of data. Europe should take the lead in promoting standards and specifications supporting privacy-friendly, reliable, highly interoperable, secure and energy-efficient cloud services, as an integral part of the European Cloud Initiative. Reliability, security and protection of data are needed for consumer confidence and competitiveness.”
The Code can be used as a tool by customers in Europe to assess if a particular cloud infrastructure service provides appropriate safeguards for the processing they wish to perform.
Company Executives testify their engagement behind the CISPE Code of Conduct:
“Right from the start, we set ourselves the goal of offering cloud services which could guarantee the security and protection of the data that we host. We were among the first to design a model by which customers could select the country in which to activate the servers and host their data”, said Stefano Cecconi, CEO of Aruba S.p.A. “And today, these guarantees of data security and protection are in fact certified by the compliance of Aruba Cloud IaaS services with all the requirements set out by the CISPE Code of Conduct.’’
“The CISPE Data Protection Code of Conduct will be another powerful tool in the hands of our customers to help them comply with Europe's data protection requirements. Our compliance with the Code will add to the long list of international recognized certification and accreditations AWS already has today, including ISO 27001, ISO 27018, ISO 9001, SOC 1, 2, 3, PCI DSS Level 1 and many more,” said Steve Schmidt, Chief Information Security Officer, Amazon Web Services.
“With the adherence to this Code, we demonstrate that we are fully prepared to take all regulatory perspectives on the subject into account” said Georgi Tsekov, Daticum Sales Director.
“At Gigas, the first cloud computing Spanish representative within the European Association CISPE, we are taking a step forward in our commitment to transparency and total privacy of our customers' data. Being aware that such privacy is critical for both public administrations and private companies, we anticipate the requirements of the EU's General Regulation on Data Protection,” confirms Diego Cabezudo, Gigas CEO.
“The CISPE Code of Conduct is a giant leap towards the acknowledgement of all the efforts that the EU Privacy and the European cloud providers have put to support the rights of citizens and their privacy. EnterCloudSuite is one of the leading Italian and European IAAS providers and it was entirely designed with the EU regulation in mind, since the beginning in 2013. When the EU in 2015 appointed us as the official public IAAS provider for the 52 institutions we understood that being supportive to the EU regulation was key to be competitive in this market” said Mariano Cunietti, CTO of Enter.eu.
“A common base was necessary to anticipate the evolutions of the data protection legislation. With the CISPE Code of Conduct, the major European infrastructure providers are now unified to defend high standards in customers’ data storage and process. We are proud to be part of this association which gives strength to the values we stand for,” Jules-Henri Gavetti, CEO, and Founder of Ikoula.
“LeaseWeb, the largest IAAS hosting supplier in the Netherlands and one of the largest providers in Europe, wishes to make crystal clear to our customers, business partners and privacy authorities how our data processing roles and responsibilities are secured fulfilled the GDPR. We have an outstanding level of security and want to establish this by participating in the self-regulatory CISPE” said Con Zwinkels, CEO and Founder of LeaseWeb Global.
“As our customers are our assets, we deem that preserving their data is the most important part of our industrial mission. We need to take care of such data and value each little aspect related to security, privacy, data protection and so on through certified data centers, certified personnel and certified processes. Joining CISPE has been a very important milestone for us. The adherence to “CISPE Code of Conduct” represents a great added value that we offer to our customers and to the market” said Antonio Baldassarra CEO of Seeweb.
“Infrastructure-as-a-Service players joining forces in CISPE, along with its Code of Conduct, is a great leap for the evolution of the Internet as a whole. We consider it very important to respect the original values of the Internet, which initially started out as an open, collaborative effort” said André van Vliet, CEO of SolidHost . “Ultimately we all rely on trust and security, and we need to continuously strive to grow in that direction. The CISPE Code is a great enabler to make this happen.”
“UpCloud has always valued customers’ privacy issues to a high standard and thus it is natural for us to be one of the first infrastructure providers in Europe to promote CISPE Code of Conduct for proper GDPR compliance in our industry” said Antti Vilpponen, CEO of UpCloud.
“Our commitment to the customer's delight inspires us to offer innovative solutions that anticipate the needs of the market also in terms of security and transparency of our services. Our goal is to continue to grow with them as an international leader providing professional services for increasing trust and efficiency on the Internet” said Claudio Corbetta, CEO of DADA Group.
CISPE is an association of cloud infrastructure services providers operating in Europe. The association is open to all companies, no matter where they are headquartered, provided they declare that at least one of their cloud infrastructure services meets the requirements of the CISPE Data Protection Code of Conduct.