CISPE Data Protection Code of Conduct

The Cloud Infrastructure Service Providers in Europe Data Protection Code of Conduct (CISPE Code) is the first pan-European data protection code of conduct for cloud infrastructure service providers under Article 40 of the European Union’s General Data Protection Regulation (GDPR). It was approved by the European Data Protection Board (EDPB) in May 2021 and formally adopted by the French Data Protection Authority (CNIL) in June 2021.

The CISPE Code assures organizations that their cloud infrastructure service provider meets the requirements applicable to a data processor under the GDPR. This gives cloud customers additional confidence that they can choose services that have been independently verified for their compliance with the GDPR.

AWS adherence to the CISPE Code gives our customers additional assurances that AWS has implemented contractual and operational measures that meet the requirements applicable to a processor under Article 28 of the GDPR. AWS’ compliance with the CISPE Code has been verified by EY CertifyPoint, an external auditor accredited by CNIL as a Monitoring Body.

The CISPE Code goes beyond GDPR compliance by requiring cloud infrastructure service providers to give customers an option to store and process their data within the European Economic Area. Cloud infrastructure service providers must also commit that they will not access or use any customer data, except as necessary to provide and maintain the declared services. In particular, the cloud infrastructure service providers must commit to not use customer data for their own purposes, including for data mining, profiling or direct marketing.

The CISPE Code enables cloud customers to confidently select cloud infrastructure services that can be used in compliance with the GDPR. The CISPE Code assures organizations that their cloud infrastructure service provider meets the requirements applicable to a data processor under the GDPR. This gives cloud customers the additional confidence that they can choose cloud services independently verified for their compliance with the GDPR. AWS declared services under the CISPE Code because of the added assurance that it provides to our customers. The CISPE Code is the first pan-European data protection code of conduct focused on cloud infrastructure services, and is endorsed by the European Data Protection Board and approved by the French Data Protection Authority (CNIL), acting as the lead data protection authority.

Yes, AWS maintains a high bar of data protection and privacy controls outlined in the CISPE Code for all customer content.

EY CertifyPoint (EYCP) independently certified AWS services as complying with the CISPE Code. EYCP was the first "monitoring body" accredited by CNIL to verify cloud infrastructure provider's compliance with the CISPE Code. CNIL has since accredited several other monitoring bodies including Bureau Veritas and LNE. These are all internationally recognized independent auditors and certification bodies with proven experience in verifying companies’ compliance with data protection requirements.

The services declared as adherent to the CISPE Code are registered in CISPE Public Register as “Controlled Adherence”. For these services, AWS’s compliance with the CISPE Code’s requirements have been verified by EY CertifyPoint, an independent Monitoring Body accredited by CNIL. The AWS services that are in scope of the CISPE Code can also be found within AWS Services in Scope by Compliance Program.

AWS supports more security standards and compliance certifications than any other cloud provider, and we are continuously reviewing the needs of our customers as the regulatory environment evolves. The CISPE Code enables our customers to confidently select cloud infrastructure services that can be used in compliance with the GDPR and addresses our customers’ compliance requirements today.

The EU Cloud Code of Conduct is a different initiative, however, with similar considerations and approaches as the CISPE Code. While AWS believes that the CISPE Code is an excellent tool to demonstrate AWS’s GDPR related compliance and address the corresponding expectations of our customers, we will continue to review the needs of our customers as the regulatory environment evolves.