2.g. code of conduct - 27 january 2017 - cispe · pdf filecispe - january 2017 1 data...

CISPE-January2017

1

DataProtection

CodeofConductforCloudInfrastructureServiceProviders

27JANUARY2017

CISPE-January2017

2

Introduction.....................................................................................................................3

1 StructureoftheCode................................................................................................5

2 Purpose....................................................................................................................6

3 Scope........................................................................................................................7

4 DataProtectionRequirements..................................................................................94.1 ProcessingPersonalDatalawfully...............................................................................104.2 ContractualtermsandconditionsoftheCISP’sservices..............................................114.3 Security.......................................................................................................................124.4 Transferofpersonaldatatothirdcountries................................................................134.5 Sub-processing............................................................................................................144.6 Demonstratingcompliance.........................................................................................164.7 DataSubjectrequests.................................................................................................184.8 CISPpersonnel............................................................................................................184.9 Lawenforcement/governmentalrequests..................................................................194.10 Databreach................................................................................................................204.11 Deletionorreturnofpersonaldata.............................................................................21

5 TransparencyRequirements...................................................................................225.1 AServiceAgreementthataddressesthedivisionofresponsibilitiesbetweentheCISP

andtheCustomerforthesecurityoftheservice.....................................................................235.2 Ahighlevelstatementonthesecurityobjectivesandstandardsthatapplytothe

service 235.3 Informationonthedesignandmanagementoftheservice.........................................235.4 InformationvalidatingtheriskmanagementprocessesandcriteriaoftheCISP..........245.5 InformationonthesecuritymeasuresimplementedbytheCISPfortheservice..........245.6 AssurancedocumentationcoveringtheCISP'sinformationsecuritymanagement

system25

6 Adherence..............................................................................................................266.1 DeclaringaserviceadherenttotheCode....................................................................266.2 ComplianceMarks......................................................................................................29

7 Governance............................................................................................................307.1 GovernanceStructure.................................................................................................307.2 ComplaintsandEnforcement......................................................................................317.3 ReviewoftheCodeandGuidelines.............................................................................32

ANNEXA:SecurityResponsibilitiesANNEXB:TemplateDeclarationofAdherence

CISPE-January2017

3

IntroductionCloudcomputingservicesprovidebenefitstopublicandprivatesectorusersincludingcostsavings,flexibility,efficiency,security,andscalability.Forcustomerswhowanttousecloudcomputingservicestoprocesspersonaldata,akeyconsideration isthattheprocessing iscarriedoutinaccordancewithapplicableEUdataprotectionlaw.

Thereisawidespectrumofcloudservicesprovidersprovidingavarietyofdifferentcloudcomputingmodels.Dataprotectionconsiderationsdonotapplytoallcloudmodelsinthesameway.Theextenttowhichcloudcomputingservicesprovidersprocesspersonaldataandtheextentoftheircontroloverthehandlingofthatdatadependsonthetypeofcloudcomputingservicesbeingoffered.Assuchprovidersofdifferenttypesofcloudcomputingservicesnecessarilyhavedifferentrolesandresponsibilities,particularlyinrelationtodataprotectionanddatasecurity.

Forexample:

• Aprovider of Software-as-a-Service (SaaS) typically offers a software applicationservicethatisspecificallyintendedtoprocesspersonaldata(e.g.ane-mailservice,ERPsoftware,marketingservicesetc.).ASaaSproviderhastheabilitytoexerciseawiderangeofcontrolsinrelationtothepersonaldataprocessedusingitsSaaSandhow that data is processed. It is, therefore, able to provide its customers withtechnical and contractual commitments that are tailored to the specific SaaS itprovides and reflect the degree of control SaaS providers have over dataprotectioncompliance.

• Aproviderof Infrastructure-as-a-Service (IaaS),on theotherhand,onlyprovidesvirtualisedhardwareorcomputinginfrastructure.Itscustomershavetheflexibilitytochoosehowtousethatinfrastructure.Forexample,acustomerusingIaaShasthe freedom to choose what data it wants to process on the infrastructure, inwhich countries, forwhat purposes and how itwishes to protect this data. IaaSprovidersareunawareofwhethertheirinfrastructureisbeingusedbycustomerstoprocesspersonaldata.BecauseofthenatureofIaaS,IaaSprovidersareunableto tailor their services to any individual customer's use case. Instead, IaaSproviders provide their services with the same level of security irrespective ofwhether or not personal data is actually processed by a customer on the IaaSprovider'sinfrastructure.

ThisCodeofConduct (Code) focusseson IaaSproviders. IaaSprovidersare referred to inthisCodeasCloudInfrastructureServicesProviders(CISPs).ThepurposeoftheCodeistoguide customers in assessing whether cloud infrastructure services are suitable for the

CISPE-January2017

4

processingofpersonaldatathatthecustomerwishestoperform.Theverydifferentnatureof cloud infrastructure services - compared toother typesof cloud computing services–meansthataspecificCodetailoredforIaaSisrequired.

AseparateCodewillimprovetheunderstandingofIaaSintheEuropeanUnionbycreatingtransparency.Insodoingitwillcontributetoanenvironmentoftrustandwillencourageahigh default level of data protection. This will benefit Small and Medium enterprises(SMEs),asusersandproviders,andpublicadministrationsinparticular.

TheCodeconsistsofasetofrequirementsforCISPsasdataprocessorsinSection4(DataProtectionRequirements)andSection5(TransparencyRequirements) (togethertheCodeRequirements).ItalsoincludesagovernancestructureatSection7(Governance)thataimstosupporttheimplementation,management,andevolutionoftheCode.

The Code is a voluntary instrument, allowing a CISP to evaluate and demonstrate itsadherencetotheCodeRequirementsforoneorseveralofitsservices.Thismaybeeither(i)certificationbyan independentthirdpartyauditors,or (ii) self-assessmentbytheCISPandself-declarationofcompliance.

CISPs that have demonstrated their adherence to the Code in accordance with itsgovernanceprocessesmayusetheCode’srelevantcompliancemarks.

Customers are invited to verify that the CodeRequirements, any additional contractualassurancesprovidedby theCISP,and theirownpolicies complywith their requirementsunderapplicableEUdataprotectionlaw.CustomersmayverifyaCISP’sadherencetotheCodethroughthewebsitelistingalltheorganisationsthathavedeclaredtheiradherencetothisCode(www.cispe.eu)(CISPEPublicRegister).

CISPE-January2017

5

1 StructureoftheCodeThisCodeisstructuredasfollows:

• Purpose:describesthefocusoftheCoderelativetoapplicableEUdataprotectionlaw.

• Scope:describesthefieldofapplicationoftheCode.• Dataprotection requirements:describes the substantive rightsandobligationsof

adhering CISPs on the basis of key principles such as purpose limitations, datasubjectrights,transfers,security,auditing,liability,etc.

• Transparency requirements: describes how the adhering CISP demonstrates anadequatelevelofsecurityforpersonaldata.

• Adherence:describestheconditionsforCISPsdeclaringadherencetotheCode.• Governance:describes how the Code ismanaged, applied, and revised, including

therolesandobligationsofitsgoverningbodies.

CISPE-January2017

6

2 PurposeThe purpose of this Code is to guide customers in assessing whether the cloudinfrastructureservicethatitwishestouseissuitableforthedataprocessingactivitiesthatthecustomerwishestoperform.Ultimately,thefocusofthisCodeistohelpcustomerstochoosetherightcloudinfrastructureservicefortheirspecificneeds.

ACISP'sdeclarationofadherencetothisCodeforaspecificserviceshouldinstiltrustandconfidenceamongcustomersthat:

• customerscanusethatservicetoprocesspersonaldatainwaythatcomplieswithapplicableEUdataprotectionlaw;and

• theCISPhasmettheCodeRequirementsinrespectofthatservice.

Whenusinganycloudinfrastructureservice,customersareencouragedtocompletetheirown assessment of their specific processing activities and their compliance based onapplicable EU data protection law. This Code is intended to assist customers in suchassessments,butisnotasubstituteforthem.

TheCodedoesnotreplaceacontractbetweentheCISPandthecustomer.TheCISPanditscustomer are free to define how the service is delivered in a written agreement (theServiceAgreement).CISPsshouldassesswhetherthethencurrentServiceAgreementthatthey offer new customers in connection with the services contradicts the CodeRequirementsespeciallybeforedeclaringtheiradherence.

The Code is not legal advice. Adherence to the Code will not guarantee a CISP's or acustomer'scompliancewithapplicablelaw.CISPsandcustomersareencouragedtoobtainappropriateadviceontherequirementsofapplicablelaw.

CISPE-January2017

7

3 ScopeTheCodeconsistsofa setof requirements forCISPsasdataprocessorswithaparticularfocus on security. These are set out in Section 4 (Data Protection Requirements) andSection5(TransparencyRequirements).TheserequirementsarereferredtocollectivelyintheCodeastheCodeRequirements.

AnyCISPmaydeclareitsadherencetotheCodeRequirementsforanycloudinfrastructureserviceif:

• theservicecomplieswiththeCodeRequirements;

• inrespectofthatservice,theCISPcomplieswithallEUdataprotectionlawswhichareapplicableandbindingonit,includingtheEUDataProtectionDirective(andanyapplicable national transpositions thereof) and the General Data ProtectionRegulation(GDPR)whenitcomesintoforce;and

• theserviceprovidesthecustomertheabilitytochoosetousetheservicetostoreandprocessitsdataentirelywithintheEEA.

ACISPmaychoosetodeclareonlyspecificofitscloudinfrastructureservicesasadheringtotheCodeRequirements.SuchCISPsmustensurethatpotentialcustomersareexplicitlyandunambiguously informed of the services adhering to the Code Requirements. Any CISPdeclaring its compliance with the Code must be able to comply with all the CodeRequirementsforeachservicecoveredbyitsdeclaration.

Theproper identificationof thedatacontrollerandofanydataprocessors isvital forEUdata protection law. These concepts are explained in Section 4 (Data Protection) of thisCode.

In the cloud infrastructure service context, the CISP will act as a data processor to thecustomer(whomayitselfbeacontrolleroraprocessor).TheCodeRequirementssetouttheprincipleswhichCISPs,asdataprocessors,mustrespect.

Thelegalobligationsofdatacontrollers,assetoutinapplicableEUdataprotectionlaw,arebroader than thoseofdataprocessors.Dataprocessorscanplayasupporting role in thefulfilmentofthedatacontroller’sobligations.TheCodeendeavourstoexplainhowCISPs,asdataprocessors,cansupportthoseoftheircustomerswhoareeitherdatacontrollersorthemselvesdataprocessorsinthesupplychain.

Inrespectofdataprocessedonbehalfofacustomerusingthecloudinfrastructureservice,theCISPwillnot(a)accessorusesuchdataexceptasnecessarytoprovidetheservicestothecustomer,or(b)processsuchdatafortheCISP'sownpurposes,including,inparticular,

CISPE-January2017

8

forthepurposesofdatamining,profilingordirectmarketing.

TheCISPmayactasadatacontroller inrespectofcertainpersonaldataprovidedbythecustomertotheCISP.Thisincludes,forexample,accountinformation(suchasusernames,email addresses and billing information), which the customer provides to the CISP inconnectionwith the creationoradministrationof the customer'saccountused toaccesstheCISP'sservice.

ThisCodedoesnotapplywheretheCISPprocessessuchdataasadatacontroller.

CISPE-January2017

9

4 DataProtectionRequirementsEUdataprotection lawmakesadistinctionbetween (a) the“datacontroller”– thepartywhichdetermines thepurposesandmeansof theprocessingofpersonaldata, and (b) a“dataprocessor”–apartywhichprocessespersonaldataonbehalfofthecontroller.

CISPs provide self-service, on-demand infrastructure that is completely under thecustomers’ control– includingwith respect towhetheranypersonaldata isuploaded tothecloudinfrastructureserviceand,ifso,howthatpersonaldatais“processed”.

Customerascontrollerorprocessor

Cloudinfrastructureservicesareusedaspartofavarietyofdifferentbusinessoperations,and there may be multiple parties involved in a chain of supply. As a general guide,however,where a customer stores or otherwise processes personal data using a CISP'sservices:

• Thecustomerwillbethecontrollerinrelationtothatpersonaldataifthecustomerdeterminesthepurposeforwhichthedatawillbeprocessedandhaschosenhowitwillbeprocessed.

• Thecustomerwillbeaprocessorinrelationtothatpersonaldataifthecustomerismerely processing the personal data on the CISP's service on behalf of andaccordingtothewishesofathirdparty(whomaybethecontrolleroranotherthirdpartyinthesupplychain).

CISPasprocessor

Where the customer chooses to store or otherwise process personal data using a CISP'sservices,theCISPwillbethatcustomer'sprocessor.

ThepurposeofthisDataProtectionRequirementssectionoftheCode

ThepurposeofthisSection4(DataProtectionRequirements)istoclarifytheCISP'sroleasaprocessorunderapplicableEUdataprotectionlawinthecontextofcloudinfrastructureservices.

TheCodepursuesthisobjectiveby:

(a) identifying requirements for processors under applicable EU data protection law(theDPrequirement);and

(b) applyingtheDPrequirementtothecloudinfrastructureservicescontext,allocating

CISPE-January2017

10

responsibility for these requirements between the CISP and the customer anddefining the specific requirements for theCISPunder theCode (theRequirement

forCISP).

In addition to the Code, CISPs and customers are encouraged to consider all therequirements of applicable EU data protection law in their provision and use of cloudinfrastructureservices,respectively.

AkeyobjectiveoftheCodeisthatitwilladdressthekeyrequirementsforCISPsunderthencurrent EUdataprotection law. Inparticular, this includes theGDPRwhen it comes intoforceandrequirementsintheCodearedefinedbyreferencetotheGDPR.TheCodewillbereviewedandupdatedasnecessary toconsiderchanges inapplicableEUdataprotectionlaw inaccordancewithSection7 (Governance) (includinganybindingspecificationwhichmaybeprovidedbythecompetentsupervisoryauthoritiesconcerningGDPR).

4.1 ProcessingPersonalDatalawfully

DPrequirement:

The controllermust ensure that personal data is processed lawfully. Processing is lawfulonly ifcertainconditionsapply.Exceptwhererequiredtocomplywithlaw,theprocessormayprocesspersonaldataonlyondocumentedinstructionsfromthecontroller(GDPRArt28(3)(a)).

RequirementforCISP:

The CISPwill process personal data in accordancewith the customer's instructions. TheService Agreement and use by the customer of the features and functionalities madeavailable by the CISP as part of the service are the customer's complete and finalinstructionstotheCISPinrelationtoprocessingofpersonaldata.

Explanation:

CISPs have no control overwhat content the customer chooses to upload to theservice (includingwhetherornot it includespersonaldata).CISPshaveno role inthe decision-making as to whether or not the customer uses the cloudinfrastructureserviceforprocessingpersonaldata,forwhatpurposeandif/howitisprotected. Accordingly, CISPs are not able to ascertain whether there may be alawful basis for the processing. As such, their responsibility is limited to (a)complying with the customer's instructions as provided for or reflected in theServiceAgreement and (b) providing information about the service in accordancewithSection5(TransparencyRequirements)oftheCode.

CISPE-January2017

11

4.2 ContractualtermsandconditionsoftheCISP’sservices

DPrequirement:Processingbyaprocessorshallbegovernedbyawrittencontractthatisbindingbetweentheprocessorandthecontrollerandthatsetsoutthesubjectmatteranddurationoftheprocessing, the nature and purpose of the processing, the type of personal data andcategories of data subjects and theobligations and rights of the controller. The contractmaybeinelectronicform.(GDPRArt28(3)).RequirementforCISP:

TheCISPshalldefinethefeaturesoftheserviceandhowitisdeliveredandtherightsandobligationsofthecustomerintheServiceAgreementassetoutinsub-sections(a)and(b)below.

Explanation:

CISPs provide infrastructure. Customers have the flexibility to choose how to usethat infrastructureandtheycanalsochoosetochangehowandforwhatpurposetheyusethatinfrastructurewhenevertheywish.

(a)Descriptionofprocessing

TofacilitatethesefeaturesofcloudinfrastructureservicesandtoavoidtheneedtoamendtheServiceAgreementorenteranewServiceAgreementeverytimethecustomeroranycustomer end user chooses to change the way it uses the service, the description ofprocessing in the Service Agreement should be drafted in a way that accommodatescustomerschangingtheirusecases.Forflexibility,ServiceAgreementsmayaddressthedescriptionoftheprocessingusingthecloud infrastructure services on a generic basis, for example, “compute, storage andcontentdeliveryontheCISP'snetwork”.(b)FormofServiceAgreement

Provideditisinwriting(includinginelectronicform)andlegallybindingbetweentheCISPandthecustomer,theServiceAgreementmaytakeanyform,including:

• asinglecontract;

• a set of documents such as a basic services contractwith relevant annexes (dataprocessingagreements,SLAs,serviceterms,securitypolicies,etc.);or

• standardonlinetermsandconditions.

CISPE-January2017

12

4.3 Security

DPrequirement:

Bothcontrollerandprocessormust,taking intoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisk of varying likelihood and severity for the rights and freedoms of natural persons,implementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk(GDPRArt32(1)).

RequirementforCISP:

(a)Securitymeasures

TheCISPwill implementandmaintainappropriate technicalandorganisationalmeasuresfor the CISP's data centre facilities, servers, networking equipment and host softwaresystemsthatarewithintheCISP'scontrolandareusedtoprovidetheCISP'sservice (theCISPNetwork).Thosetechnicalandorganisationalmeasuresshould(a)bedesignedtohelpcustomerssecurepersonaldataagainstunauthorisedprocessingandaccidentalorunlawfulloss,accessordisclosure,and(b)addressthesecurityresponsibilitiesoftheCISPassetoutinAnnexA(SecurityResponsibilities).

Explanation:

Cloud infrastructure services are content agnostic. They offer the same technicalandorganisationalmeasuresand levelof security toall customers, irrespectiveofwhethertheyareprocessingpersonaldataornotorthenature,scope,contextandpurposesofprocessingthecustomerisusingtheservicetoperform.Atthesametime,theCISPisnotsolelyresponsibleforsecurityinthecontextofacustomer'suseofthecloudinfrastructureservice.Therearecertainkeyaspectsofsecuritythatarethecustomer'sresponsibility(andnottheCISP'sresponsibility).Forexample, the customer (andnot theCISP) is responsible for the security of guestoperating systems, applications hostedon the service, data in transit and at rest,customer's service log-in credentials and permissions policies for customerpersonnelusingtheservice.Annex A (Security Responsibilities) defines the security responsibilities of (a) theCISP,and(b)thecustomerinthecontextofacloudinfrastructureservice.

Customersshouldreview(a)theinformationmadeavailablebytheCISPrelatingtodatasecurityinrespectoftheservices(seeSection5(TransparencyRequirements)below),(b)thecustomer'schosenconfigurationofthecloudinfrastructureserviceand use of the features and controls available in connection with the cloudinfrastructure service, and (c) the securitymeasures that the customerwill put in

CISPE-January2017

13

placefortheaspectsofsecurityunderitsresponsibility,andmakeanindependentdetermination that together those measures provide an appropriate level ofsecurity for the processing customer will use the service to perform. Thisdeterminationshouldbebasedonthenature,scope,contextandpurposesofthecustomer'sintendedprocessing.

Because it is the customer who decides what processing (i.e. what data and forwhatpurposes)itwillusetheservicetoperform,onlythecustomercandeterminewhatlevelofsecurityis"appropriate"forthepersonaldataitstoresandprocessesusingtheservice.TheCISPisnotinapositiontomakethisassessmentbecausetheCISP does not monitor, limit or otherwise control what processing the customermayusetheservicetoperform.

(b)Informationsecurityprogram

The CISP will maintain an information security program with the aim to (a) identifyreasonably foreseeable and internal risks to the security of the CISP Network, and (b)minimizesecurityrisks,includingthroughriskassessmentsandregulartesting.TheCISPwilldesignateoneormoreCISPpersonneltocoordinateandbeaccountablefortheinformationsecurityprogram.(c)Continuedevaluation

The CISP will conduct periodic reviews of the security of the CISP Network and theadequacyof theCISP's information security program. TheCISPmay choose to review itsinformationsecurityprogramagainstoneormoreindustrysecuritystandards.TheCISPwillcontinuallyevaluatethesecurityoftheCISPNetworktodetermineifadditionalordifferentsecuritymeasuresarerequiredtorespondtonewsecurityrisksortheresultsgeneratedbytheCISP'sownperiodicreviews.The CISPmaymodify the CISP's security standards from time to time, but will continuethroughoutthetermoftheServiceAgreementtoprovideatleastthesamelevelofsecurityas is described in the CISP's security standards at the effective date of the ServiceAgreement.4.4 Transferofpersonaldatatothirdcountries

DPrequirement:

BothcontrollerandprocessormustensurethatanytransferofpersonaldataundergoingprocessingtoathirdcountryshalltakeplaceonlyifcertainconditionsunderapplicableEUdataprotectionlawarecompliedwith(GDPRArt44).

RequirementforCISP:

CISPE-January2017

14

(a)Location

ThecloudinfrastructureservicewillprovidethecustomertheabilitytochoosetousetheservicetostoreandprocessitsdataentirelywithintheEEA.

(b)Information

TheCISPwillprovidetothecustomerinformationabouttheregionandcountrywhereitsdataisstoredandprocessedbyoronbehalfoftheCISP,includingiftheCISPsub-contractspartoftheprocessingtothirdparties.

Forsecurityreasons,onlyagenerallocation(suchasacityorcityregionarea)needstobeprovided.Thisgeneraldescriptionshall,at least,allowthecustomerto identifywhichEUMember State has jurisdiction over the customer for processing performed by thecustomerusingtheservice.

Ifnecessarytodischargeacompetentsupervisoryauthority'sobligationsunderapplicablelaw in respect of the customer's use of the service andprovided that the information isprotectedbyadequateconfidentialityobligationsbindingon theauthority, theCISPshallcommunicate to the competent supervisory authority the exact address of the relevantfacilities.

For serviceswhich can be run indifferentlywithin several different locations in the CISPNetwork, CISPs will make the information easily accessible to the customer and enablecustomers to select the location(s) within the CISP Network where their data will beprocessed.

(c)Levelofprotection

TheCISPwillimplementorotherwisemakeavailabletocustomersarecognisedcompliancestandardunderapplicableEUdataprotectionlawforthelawfultransferofpersonaldatatotherelevantcountry(including,forexample,theEUStandardContractualClauses,BindingCorporateRulesor theEU-USPrivacy Shield for transfersof personal data to theUnitedStatesofAmerica)if:

i. the customer transfers data from within the EEA to be stored using the CISP'sservice in any country outside the EEAwhich is not recognised by the EuropeanCommissionasprovidinganadequatelevelofprotectionforpersonaldata;or

ii. theCISPisauthorisedtoaccessdatastoredusingtheCISP'sservicewithintheEEAfromsuchcountryreferredtoin(i)above.

4.5 Sub-processing

DPrequirement:

CISPE-January2017

15

The processor shall not engage another processor without specific or general writtenauthorisationofthecontroller.Inthecaseofgeneralwrittenauthorisation,theprocessorshallinformthecontrolleroftheintendedchangesgivingthecontrollertheopportunitytoobject(GDPRArt28(2)).

The processor must impose the same obligations as required under applicable EU dataprotection law in the contract with its controller with its sub-processors. The processormustremainfullyresponsibletothecontrollerfortheperformanceoftheirsub-processor'sobligations(GDPRArt28(4)).

RequirementforCISP:

(a) Consent

Subjecttoapplicablelaw,theCISPshallobtainthecustomer’sconsentbeforeauthorisingathirdpartysub-processortoaccessandprocesscustomerdata.

The customer’s consent may be given generally through the Service Agreement. Inparticular,theServiceAgreementmaydefinecasesandconditionsinwhichtheCISPmayenlist sub-processors for carrying out specific processing activities on behalf of thecustomerwithouttherequirementtoobtainadditionalconsentsfromthecustomer.

If thecustomerobjectstoasub-processor, thecustomermay immediatelyterminatetheService Agreement for convenience or, if agreed by the customer and the CISP,immediatelyterminatetheserviceorthatpartoftheservicewhichisprovidedbytheCISPusingtherelevantsub-processor.

(b) Information

The CISP shall maintain an up-to-date list of sub-processors authorised by the CISP toaccesscustomerdata.Thislistmustincludethelocationofthesub-processorandmustbeeasilyaccessibletothecustomeratthetimeofacceptanceoftheServiceAgreementandduring its term. Only a general location (such as a city or city region area) needs to beprovided.Thisgeneraldescriptionshall,at least,allowthecustomerto identifywhichEUMember State has jurisdiction over the customer for processing performed by thecustomerusingtheservice.

Before authorising a new sub-processor to access customer data, the CISP will makeavailable to the customer the informationabout thatnew sub-processor specified in theparagraphabove.

(c) Sub-processingarrangements

TheCISPwillimposedataprotectioncontractualobligationsequivalenttothosesetoutin

CISPE-January2017

16

theServiceAgreementbetweentheCISPandthecustomeronitssub-processor.

The CISPmust put in place operational arrangements in respect of its sub-processor toprovide an equivalent level of data protection to the level of data protection under theService Agreement. The CISP must be able to demonstrate to the customer throughappropriatedocumentaryevidencethatithastakensuchmeasures.

TheCISPshallrestrictthesub-processor'sprocessingofcustomerdatatoprocessingthatisnecessarytoprovideormaintaintheservices.

TheCISPshallremainresponsibleforitscompliancewithitsdataprotectionobligationsintheServiceAgreementandforanyactsoromissionsof thesub-processorthatcausetheCISPtobreachanyofitsobligationsundertheServiceAgreement.

Notwithstanding sub-sections (a) - (c) above, and subject to applicable law, CISPs mayfreely use subcontractors or suppliers (such as energy suppliers, equipment suppliers,transport,technicalserviceproviders,IPCarriers,transitproviders,hardwarevendors,etc.)toperformitsdutiesundertheServiceAgreementwithouthavingtoinformorseekpriorauthorisation from the customer, provided that such subcontractors or suppliers arenotauthorisedtoaccessnorprocesscustomerdata.

4.6 Demonstratingcompliance

DPrequirement:

The processor must make available to the controller all information necessary todemonstratetheprocessor'scompliancewithitsdataprotectionobligationsandallowforaudits, including inspections, conductedby thecontrolleroranauditormandatedby thecontroller(GDPRArt28(3)(h)).

RequirementforCISP:

(a)Information

CISPsshallmakesufficientinformationaboutthesecuritycontrolsinplacefortheservicesavailabletocustomerssothatcustomerscanreasonablyverifytheCISP'scompliancewiththesecurityobligationsintheServiceAgreement.

Where information is non-confidential or non-sensitive it will be made accessible bycustomersviaastraight-forwardprocess(e.g.viatheCISP'swebsite).Whereinformationisconfidential,theCISPmaymakeitavailabletocustomersuponrequestbutmayrequirethecustomertofirstexecuteanon-disclosureagreementwhichisacceptabletotheCISP.TheCISP may in its sole discretion choose not to disclose certain high-sensitive securityinformation.

CISPE-January2017

17

CISPsmayrequirecustomerstopayanadditional fee for information.Thisadditional feewillbereasonableandwillnotbeusedtopreventcustomersfromaccessing informationaboutthesecuritycontrolsfortheservice.

The CISP may publish current information on service availability and/or updates aboutsecurityandcompliancedetailsrelatingtotheservicesontheCISP'swebsite.

TheCISP shallprovideamechanism (whether freeof chargeor fora reasonable fee) forcustomersthathavequestionsregardingdataprotectionorsecurityissuesrelatingtotheservice to request to be put in contact with the then-current CISP personnel orrepresentative assigned by the CISP to handle such matters. Mechanisms should beappropriate and proportionate for the cloud infrastructure service in question and maytake the formof phonenumbers, e-mail addresses, chat systems, or anyothermethodsthatallow thecustomer toestablishcommunicationswith the relevant representativeoftheCISP.Accesstoorknowledgeofcustomerdataisnotrequiredtofulfilthisobligation.

(b)Audit

In addition to the information requirements above, the CISPmay use independent thirdpartyauditorstoverifytheadequacyofthesecuritycontrolsthatapplytotheservice.

IfofferedbytheCISP,theseaudits:

• will be performed according to a recognised security standard (including, forexample,ISO27001);

• willbeperformedperiodicallyasprovidedundertheapplicablestandard;• will be performed by qualified and reputable independent third party security

professionals;and• willresultinthegenerationofanauditreport.

If the CISP uses independent third party auditors to verify the adequacy of the securitycontrolsthatapplytotheservice,thenatcustomer'swrittenrequesttheCISPmayprovidethecustomerwithacopyoftheauditreportsothatthecustomer,thecustomer'sauditorandcompetentsupervisoryauthoritieswithjurisdictionoverthecustomercanreasonablyaudit and verify the CISP's compliance with its security obligations under the ServiceAgreement.TheCISPmaychoosetochargecustomersanadditionalfeefortheprovisionoftheauditreportprovidedsuchfeeshouldnotbeusedasadeterrent.

The report will be the CISP's confidential information. Before sharing the report withcustomer,theCISPmayrequirethecustomertofirstexecuteanon-disclosureagreementwhichisacceptabletotheCISP.

Explanation:

CISPE-January2017

18

TheCodedoesnotrequiretheCISPtoauthorisethecustomeroranythirdpartytoconduct an on-site audit of the CISP's premises or facilities. Cloud infrastructureservices aremulti-tenant environments. Thismeans that the data of potentially allthe CISP's customers could be hosted in the same premises or facilities. PhysicalaccesstotheCISP'sfacilitiesbyasinglecustomerorthirdpartyintroducesapotentialsecurityriskforallothercustomersoftheCISPwhosedataishostedwithinthesamepremises or facilities. This risk can be controlled if, instead of an on-site audit,customersuse the informationprovidedby theCISP to reasonablyverify theCISP'scompliancewiththesecurityobligationsintheServiceAgreement.

4.7 DataSubjectrequests

DPrequirement:

Takingintoaccountthenatureoftheprocessing,theprocessormustassistthecontrollerby appropriate technical and organisationalmeasures, insofar as this is possible, for thefulfilmentofthecontroller'sobligationtorespondtorequestsforexercisingdatasubject'srights(GDPRArt28(3)(e)).

RequirementforCISP:

The CISP will provide the customer with the ability to rectify, erase, restrict or retrievecustomerdata.Thecustomermayusethisabilitytoassistcustomerinthefulfilmentofitsobligationstorespondtorequestsforexercisingdatasubject'srights.

The CISPmay provide the customerwith the ability to rectify, erase, restrict or retrievecustomerdata(a)aspartoftheservice,or(b)byenablingcustomerstodesignanddeploytheirownsolutionsusingtheservice.

Explanation:

Beyond providing the customer the ability to rectify, erase, restrict or retrievecustomerdata,theCISPisnotrequiredtoprovidefurtherassistancetothecustomerwith data subject requests. This is because the customer (and not the CISP) isresponsible for managing data processed by the customer using the service.Therefore,theCISPdoesnotknowwhatdatacustomersareuploadingtotheserviceand,inparticular,whoarethedatasubjectsofthatdata.

4.8 CISPpersonnel

DPrequirement:

Processorsmustensurethatpersonsauthorisedbytheprocessortoprocesspersonaldata

CISPE-January2017

19

have committed themselves to confidentiality or are under an appropriate statutoryobligationofconfidentiality(GDPRArt28(3)(b)).

RequirementforCISP:

Confidentiality:

TheCISPwill imposeappropriate contractualobligations regarding confidentialityonanypersonnelauthorisedbytheCISPtoaccesscustomerdata.

Accesscontrols:

TheCISPwillimplementandmaintainaccesscontrolsandpoliciesinordertorestrictCISPpersonnel processing customer data to those CISP personnel who need to processcustomer data to provide the services to the customer.When CISP personnel no longerneed to process customer data, the CISP will promptly revoke that personnel's accessprivileges.

4.9 Lawenforcement/governmentalrequests

DPrequirement:

Processorsmayonlygiveeffect toacourt judgmentoradministrativedecisionofa thirdcountryrequiringpersonaldatatobetransferredordisclosedifbasedonaninternationalagreement(e.g.MLAT)betweenthatthirdcountryandtheEUoraMemberState(GDPRArt48).

RequirementforCISP:

TheCISPwillnotdisclosecustomerdatatoathirdcountrylawenforcementagencyunlessitisnecessarytocomplywithavalidandlegallybindingcourtjudgment,orderorrequest.The CISP will not disclose more customer data than is necessary to comply with therelevantcourtjudgment,orderorrequest.

IftheCISPreceivesavalidandlegallybindingcourtjudgmentororderorrequestfromanylaw enforcement or governmental authority to disclose customer data, then, unlessprohibited by law, the CISP will inform the customer before disclosure to provide thecustomerwiththeopportunitytoseekprotectionfromdisclosure.

The CISP may maintain public guidelines intended for use by law enforcement whenseeking information from theCISPandproduceat leastannual reportson the typesandvolumeofinformationrequeststheCISPhasprocessed.

CISPE-January2017

20

4.10 Databreach

DPrequirement:

Processorsmustnotifyadatabreachtothecontrollerwithoutunduedelayafterbecomingawareofit(GDPRArt33(2)).

Taking into account the nature of the processing and the information available to theprocessor, the processor must assist the controller in ensuring compliance with itsobligationstonotifydatabreachtothesupervisoryauthorityanddatasubjects(GDPRArt28(3)(f)).

RequirementforCISP:

Securityincidentmanagementpolicy

The CISP shall implement a security incident management policy that specifies theproceduresforidentifying,andrespondingtosecurityincidentsofwhichtheCISPbecomesaware.

Thispolicywillinclude:

• guidancefordecidingwhichtypeof incidentshavetobenotifiedtothecustomerbasedonthepotentialimpactondata;

• guidanceonhowincidentsshouldbeaddressed;and

• a specificationof the information tobemadeavailable to thecustomer followingthedatabreachincident.

Securitybreachnotification

Scopeandtimingofnotification

If theCISPbecomesawareofunauthorisedaccess toanycustomerpersonaldataon theCISP's equipment or in the CISP's facilities and such unauthorised access results in loss,disclosureoralterationofthatdata,theCISPwillnotifythecustomerwithoutunduedelay.

Contentofnotice

The notification will (i) describe the nature of the security breach, (ii) describe theconsequencesofthebreach,(iii)describethemeasurestakenorproposedtobetakenbytheCISPinresponsetotheincidentand(iv)provideacontactpointattheCISP.

CISPE-January2017

21

4.11 Deletionorreturnofpersonaldata

DPRequirement:

At the controller's option, the processor must delete or return all personal data to thecontroller(anddeleteexistingcopies)attheendofserviceprovision(GDPRArt28(3)(g)).

RequirementofCISP:

TheCISPwillprovidethecustomerwiththeability toretrieveanddeletecustomerdata.Thecustomermayusethisabilitytoretrieveordeletecustomerdataattheendofserviceprovision.

Dependingof the typeof service, theCISPmayprovide the customerwith the ability toretrieveanddeletecustomerdata(a)aspartoftheservice,or(b)byenablingcustomerstodesignanddeploytheirowndeletionandretrievalsolutionsusingtheservice.

Explanation:

TheCISPdoesnotmanageorchoosetodeleteacustomer'sdataonthecustomer'sbehalf.NoristheCISPrequiredtoprovidethecustomerwithexitassistancebeyondtheabilityforthecustomertoretrieveordeletethecustomer'sdata.Therefore,itisthe customer's responsibility to manage deletion and retrieval of data on theservicetakingintoaccountanyprocesstriggeredbytheterminationorexpiryoftheServiceAgreement.

CISPE-January2017

22

5 TransparencyRequirementsCustomers need to be able to perform reliable security risk and data protection impactassessmentsforpersonaldataprocessedoncloudinfrastructureservices.

TheCISPcanhelpthecustomertoachievethisobjectivebyprovidingtransparencyaboutthe security measures implemented by the CISP for its services. To provide adequatetransparencytheCISPwillpursuethefollowing6objectives:

1. A Service Agreement that addresses the division of responsibilities between theCISPandthecustomerforthesecurityoftheservice.

2. Ahigh level statementon the securityobjectivesand standards that apply to theserviceconcerningatleastConfidentiality,Availability,Integrity.

3. Information on the design and management of the service to help customersunderstand potential threats and vulnerabilities for the customer's use of theservice.

4. Informationvalidating the riskmanagementprocessesandcriteriaof theCISP fortheservice.

5. InformationonthesecuritymeasuresimplementedbytheCISPfortheservice.

6. Assurance documentation covering the CISP's information security managementsystem.

Thesub-sectionsbelowdescribewhatstepstheCISPshouldtaketoensuretheadequateleveloftransparencyforeachservicedeclaredasadheringtheCode.

The CISP may achieve these objectives by implementing an information securitymanagementsystemcoveringthese6objectives.TheCodeencouragesCISPstoimplementsuchinformationsecuritymanagementsystemsbasedononeormorerecognisedindustrystandards.

Except for requirements specifically for the Service Agreement, the CISPmay choose tocommunicatetheinformationreferredtointhisSection5(TransparencyRequirements)tocustomersby:

• providinginformationabouttheCISP'ssecurityandcontrolpractices;and/or

• obtaining industry certifications and/or independent third-party attestations;

CISPE-January2017

23

and/or

• providingcertificates,reportsandotherdocumentationdirectlytocustomers.

Where the CISP considers information is confidential, the CISPmaymake it available tocustomer upon request but may require the customer to first execute a non-disclosureagreementwhichisacceptabletotheCISP.

5.1 A Service Agreement that addresses the division of responsibilities between the

CISPandtheCustomerforthesecurityoftheservice

The Service Agreement should define the security responsibilities of the CISP and thecustomer for the duration of the term of the Service Agreement provided that thecustomershall remain responsible foranyaspectof securitywhich isnotcoveredby theServiceAgreement.

In addition to the Service Agreement, the CISP may choose to make available forconsultation further documentation for the service which describes the division ofresponsibilityforsecuritybetweentheCISPandthecustomer.Forexample,theCISPcouldprovideamatrixdescribingresponsibilitiesofbothpartiesbasedontheirsharedcontroloftheITenvironmentandcontrolswhenusingtheservice.

5.2 Ahigh level statementon thesecurityobjectivesandstandards thatapply to the

service

The CISP should state (a) the objectives that the securitymeasures implemented by theCISPfortheservicearedesignedtopursue,andifapplicable(b)thestandardstheCISPwillfollowwhenimplementingthosesecuritymeasures.

TheCISPmaymodifytheapplicablesecuritystandardsfromtimetotimeprovidedthattheservice continues to provide at least the same level of security as was described in theapplicablestandardsattheeffectivedateoftheServiceAgreement.

TheCISPwill informcustomers ifacloudinfrastructureservice is intendedbytheCISPtoassistcustomerstocomplywitharecognisedstandardorlegalrequirementapplicabletoaspecific type of processing (e.g. processing healthcare data). This information may becommunicated by the CISP to customers within the Service Agreement, a servicedescriptionand/orviatheCISP'swebsiteorotherpubliclyavailablematerial.5.3 Informationonthedesignandmanagementoftheservice

The CISP should provide information to customers on the infrastructure available to thecustomerandhowitisusedtodelivertheservice(i.e.thefacilities,network,hardwareandoperationalsoftwarethatsupporttheprovisioninganduseoftheservices).

CISPE-January2017

24

Thisinformationmay,forexample,include:

• High-levelarchitectureoftheinfrastructure

• GenerallocationoftheCISP'shostingfacilities

• Subcontractor’sauthorisedbytheCISPtoaccesscustomerdata

• Securityfeaturesoftheservice

• Optionsthecustomercanusetoaddtofurthersecuritytotheservice

5.4 InformationvalidatingtheriskmanagementprocessesandcriteriaoftheCISP

TheCISPshouldprovideinformationtocustomersvalidatingtheexistenceandsuitabilityoftheCISP'sriskmanagementprogramtoassistcustomerstoincorporatetheCISP'scontrolsin the customer's own riskmanagement framework. This informationmay, for example,includeinternaland/orexternalriskassessmentsperformedorcommissionedbytheCISPandcoveredinoneormoreauditreports.

The Code encourages the CISP to follow a risk assessment methodology based onrecognisedindustrystandards.

5.5 InformationonthesecuritymeasuresimplementedbytheCISPfortheservice

The CISP shall make sufficient information about the securitymeasures in place for theservicesavailabletocustomerstoassistcustomerstounderstandthecontrolsinplacefortheservicethattheyuseandhowthosecontrolshavebeenvalidated.

Thisinformationis intendedtohelpcustomersevaluateiftheycanuseandconfiguretheservices in a way that provides an appropriate level of security for the processing thecustomerwillusetheservicestoperform.

Specifically,theCISPshoulddescribe:

• the physical and operational security processes for the network and serverinfrastructureundertheCISP'smanagement;and

• thesecurityfeaturesandcontrolsavailableforuseandconfigurationbycustomersontheservice.

Thisinformationmay,forexample,includeinformationabout:

• physicalandenvironmentalsecurity;

• networksecurity;

CISPE-January2017

25

• businesscontinuitymanagement;

• changemanagement;and

• accountsecurityfeatures.

5.6 Assurance documentation covering the CISP's information security management

system

TheCISPshallmakesufficientinformationabouttheinformationsecuritymanagementsysteminplacefortheservicesavailabletocustomerssothatcustomerscanreasonablyverifytheCISP'scompliancewiththesecurityobligationsintheServiceAgreementasdescribedinSection4.6(DataProtection;DemonstratingCompliance)ofthisCode.

CISPE-January2017

26

6 AdherenceACISPthatdeclaresadherencewiththeCodewillcomplywithalltheCodeRequirementsforanyservicecoveredbyitsdeclarationandmayusetheComplianceMarks(asdefinedinSection 6.2 below). CISPs cannot declare to adhere to only a chosen part of the CodeRequirementsortoexcludecertainsectionsoftheCodeRequirements.

The CISPs that have declared adherence to the Code commit to submit to Section 7(Governance). If a CISP fails to meet the Code Requirements, it will be subject to theenforcementmechanismsassetoutinSection7(Governance).Thisiswithoutprejudicetoany possible sanctions from competent supervisory authorities under applicable EU dataprotectionlaw.

6.1 DeclaringaserviceadherenttotheCode

(a) DeclarationsofAdherence

TouseComplianceMarksforaservicetheCISPmustcompleteandsubmitadeclarationofadherence(DeclarationofAdherence)inaccordancewiththeguidelinesforadherencetotheCodeproducedby theCCTF and approvedby the ExecutiveBoard (CodeAdherenceGuidelines).ThecurrentformoftheDeclarationofAdherence issetout inAnnexB.ThismaybeupdatedbytheCCTFfromtimetotime.TheSecretariatwillpublishandmaintainanuptodateversionoftheDeclarationofAdherenceandtheCodeAdherenceGuidelinesontheCISPEPublicRegister.The Declaration of Adherence confirms that the service complies with the CodeRequirements.TheCISPmaychoosebetweenthefollowingtwoprocedurestosupport itsDeclarationofAdherence:

• Certificationbyanindependentthirdpartyauditor;or• Self-assessmentbytheCISP.

DifferentComplianceMarksapplytoDeclarationsofAdherencesupportedbyeachofthesetwoprocedures.Bothproceduresareexplained inmoredetail in sub-sections (b)and (c)below.

The Secretariat shall review a CISP's Declaration of Adherence according to the CodeAdherence Guidelines. Within 40 working days of receipt by the Secretariat of theDeclarationofAdherence, theSecretariatwillnotify theCISPwhether theDeclarationofAdherenceiscomplete.

CISPE-January2017

27

IftheDeclarationofAdherenceisnotcomplete,theSecretariatmayrequestthattheCISPprovide any missing document or information required to complete its Declaration ofAdherence.If the Declaration of Adherence is complete, the Secretariat shall incorporate theDeclaration of Adherence into the CISPE Public Register within 10 working days of theSecretariatnotifyingtheCISPofitsacceptance.OncetheDeclarationofAdherenceisincorporatedintotheCISPEPublicRegister:

• the CISP is entitled to use the Declaration of Adherence and the appropriateCompliance Mark, as noted in Section 6.2 below, exclusively for the servicescoveredbytheDeclarationofAdherencesolongasitremainsvalidandsubjecttoanyenforcementmeasuresunderSection7.2(ComplaintsandEnforcement);and

• if any change to the service means a material update to the CISP's currentDeclaration of Adherence is required, then (i) the CISPmust promptly notify theSecretariat,and(ii)cooperatewiththeSecretariattoupdatethosematerials.

(b) Certificationbyindependentthirdpartyauditors

ProcessACISPcanshowthatoneormoreofitsservicesadheretothoseCodeRequirementswhichare technical and operational security and/or data protection behaviours which arerecognisedintheindustryasauditableandasspecifiedintheCodeAdherenceGuidelines(AuditableCodeRequirements)bypresentingoneormoreappropriatecertificates,auditreports, attestation reports, statementsofapplicabilityand/orequivalentdocumentationcovering all the Auditable Code Requirements for those services and prepared by anindependentthirdpartyauditor(Certificate).ACISPwhichchoosesthisproceduremustsubmitaCertificate(s)coveringalltheAuditableCode Requirements together with its Declaration of Adherence to the Secretariat inaccordancewiththeCodeAdherenceGuidelines.TheCISPmustalsosubmitanysupportinginformation specified in the Code Adherence Guidelines in respect of those CodeRequirementswhicharenotAuditableCodeRequirements.ACISPmustobtainaCertificatebyengagingoneormorequalifiedandreputableauditandprofessional accountancy firms to performan audit andprepareoneormore reports orcertificates on the compliance of the relevant service(s) with one or more recognisedindustry norms and/or certifications schemes which cover all the Auditable Code

CISPE-January2017

28

Requirements. The reports or certificates prepared by the auditor(s) will amount to aCertificateforthepurposesofthissectionoftheCode.Where the CISP holds an existing certificate or report covering a service satisfying therequirementsintheparagraphabove,thentheCISPmayrelyonthatexistingcertificateorreport as a Certificate to show that the service(s) adheres to the Auditable CodeRequirements without having to undergo a new or separate audit to obtain a newcertificateorreport.The CCTF may recommend certain audit and professional accountancy firms and/orindustrynormsor certification schemes forgeneratingaCertificate. If so, theSecretariatwillpublishandmaintainalistofsuchfirmsand/ornormsandcertificationschemesontheCISPEPublicRegister.However,thiswillnotpreventtheCISPfromrelyingonotherfirmsornormsandcertificationschemes.RenewalADeclarationofAdherenceobtainedviaCertificateisonlyvalidforoneyearfromthedateitisincorporatedintotheCISPEPublicRegister.However,ifneithertheservicecoveredbytheoriginalCertificatenortheCodehavebeenmateriallymodifiedsincetheCertificatewasissued,theCISPcanautomaticallyextendthevalidityoftheDeclarationofAdherencebyanadditionalyearatnocost,byconfirmingthecontinued accuracy of the Certificate and the supporting information providedwith thatCertificate(ifany)totheSecretariat.Inothercases,tocontinuetousetheComplianceMark,aCISPrelyingonaDeclarationofAdherenceobtainedviaCertificatemustrenewthatDeclarationofAdherenceeachyear.(c) Self-assessmentbytheCISP

ProcessA CISP can show that one ormore of its services adhere to the Code Requirements bycompletingaself-assessmentinaccordancewiththeCodeAdherenceGuidelines.

A CISP which chooses this procedure must submit its Declaration of Adherence to theSecretariattogetherwithanyrequiredsupportinginformationinaccordancewiththeCodeAdherenceGuidelines.Renewal

CISPE-January2017

29

ADeclarationofAdherenceobtainedviaself-assessmentisonlyvalidforoneyearfromthedateitisincorporatedintotheCISPEPublicRegister.To continue to use the ComplianceMark, a CISP relying on a Declaration of Adherenceobtainedviaself-assessmentmustrenewthatDeclarationofAdherenceeachyear.6.2 ComplianceMarks

TheCCTFwilldevelopcompliancemarkstobeusedasapublic-facingsymbolofaservice'sadherencetotheCodeRequirements(ComplianceMarks).TheComplianceMarkswillbeapprovedbytheExecutiveBoard.Toincreasetransparencyforcustomers,theCCTFwilldevelopatleasttwovisuallydifferentCompliance Marks to distinguish between CISPs who have evidenced the adherence oftheirservicetotheCodeRequirementsby:(a)certificationbyanindependentthirdpartyauditor,and(b)self-assessmentbytheCISP.TheCCTFwilldevelopandkeepunderreviewguidelinesfortheuseofComplianceMarksbyCISPs (ComplianceMarkUseGuidelines).TheSecretariatwillpublishandmaintainanuptodateversionoftheComplianceMarkUseGuidelinesontheCISPEPublicRegister.OncetheCISP'sDeclarationofAdherenceisincorporatedintotheCISPEPublicRegister,theCISPwillbeentitledtousetheappropriateComplianceMarksolongasitsDeclarationofAdherence remains valid and provided that the CISP uses the Compliance Marks: (a)exclusively for the services covered by their Declaration of Adherence, and (b) inaccordancewiththeComplianceMarkUseGuidelines.IftheCISPprovidesdifferentcloudinfrastructureservicesandnotalltheCISP'sservicesarecovered by a Declaration of Adherence, the CISP must ensure that their use of theCompliance Mark unambiguously identifies the specific services covered by the CISP'sDeclarationofAdherence.

CISPE-January2017

30

GeneralAssembly

Representation:EachparticipatingorganisationispermittedonevotingrepresentativeintheGeneralAssembly.Thereisnolimitonthenumberofparticipatingorganisations.

Eligibility:TobeeligibleformembershipoftheGeneralAssembly,anorganisationmust(a)provideacloudinfrastructureservicetocustomersintheEEA,(b)thatservicemustprovidecustomerswiththeabilitytochoosetousetheservicetostoreandprocessitsdataentirelyintheEEA,and(c)haveatleastoneservicedeclaredasadherenttotheCodewithin6monthsofjoiningtheGeneralAssembly.

Keyresponsibilities:ElectrepresentativestotheExecutiveBoard;atleast10%ofmembersactingtogethermayproposechangestotheCodetotheExecutiveBoard;adoptchangestotheCode. ExecutiveBoard

Representation:Between5and10representativeseachfromadifferentGeneralAssemblymember.BoardrepresentativesareelectedbytheGeneralAssembly.

Eligibility:TobeeligibletopresentacandidateforelectiontotheExecutiveBoardamembermusteither(a)beafoundingmemberor(b)both(i)deriveasignificantpartoftheirincomefromcloudinfrastructureservices,and(ii)ownorexerciseeffectivecontrolofunderlyingphysicalcomputinginfrastructureforsuchcloudinfrastructureservices.

Keyresponsibilities:Approves:(a)admissionofnewGeneralAssemblymembers,(b)compliancemarks,(c)theCodecomplaintsprocess,(d)enforcementactionfornon-complianceofservicesadheringtotheCode,(e)guidelinesforadherencetotheCode,and(f)reviewsandchangestotheCode.Appoints:(a)non-votingrepresentativesoftheCCTF,(b)theComplaintsCommittee,(c)theSecretariat,and(d)Observers.

CodeofConductTaskForce(CCTF)

Representation:EachorganisationwithatleastoneservicedeclaredasadherenttotheCode(whetherornotitisaGeneralAssemblymember)mayappointonevotingrepresentativetotheCCTF.EachGeneralAssemblymemberandtheExecutiveBoardmayappointnon-votingrepresentativestotheCCTF(e.g.academicsorexperts,representativesofcloudinfrastructureserviceuserassociations,representativesoftheEuropeanCommission).Anythirdparty(includinganyendcustomer)wishingtohavenon-votingrepresentativemaysendawrittenrequesttotheBoardofDirectorsrequestinganinvitation.

Eligibility:Representativesmusthaveproven:(a)expertiserelatedtocloudcomputingand/ordataprotection,and/or(b)understandingofcloudcomputingbusinessmodels.

Keyresponsibilities:EvaluateCodebasedonchangestoapplicableEUdataprotectionlaw;proposechangestotheCodetotheExecutiveBoard;produceguidelinesforadherencetotheCode;expressanon-bindingopiniononproposedchangestotheCodepresentedbytheBoardofDirectors,recommendauditors,normsandcertificationschemessuitablefordemonstratingadherencetotheCodebyentities;developcompliancemarks;anddevelopcompliancemarkuseguidelines.

Secretariat

Representation:AppointedbytheExecutiveBoard.

Keyresponsibilities:ReviewdeclarationsofadherencetotheCode;publishandmaintaininformationontheCISPEPublicRegister;day-to-dayadministrationofCISPE.

ComplaintsCommittee

Representation:AppointedbytheExecutiveBoard.

Keyresponsibilities:(a)considercomplaintsaboutnon-complianceofserviceswiththeCode,and(b)takeenforcementactionagainstanon-compliantCISPand,wherenecessary,recommendenforcementactiontotheExecutiveBoard.

Observers

TheExecutiveBoardmayinviterepresentativeswhoarenotaffiliatedwithGeneralAssemblymemberstoparticipateasnon-votingobservers.

7 Governance7.1 GovernanceStructure

TheAssociationofCloud InfrastructureServiceProvidersofEurope (CISPE) is responsiblefor thegovernanceof theCode.Thediagrambelowprovidesanoverviewof thecurrentstructureofCISPE,includingitskeybodies,howthosebodiesarecomprisedandtheirkeyresponsibilities.

CISPE-January2017

31

7.2 ComplaintsandEnforcement

(a) ComplaintsCommittee

TheExecutiveBoardwillappointaComplaintsCommittee.TheComplaintsCommitteewillberesponsiblefor:(a)consideringcomplaintsaboutthecomplianceofservicescoveredbyaCISP'sDeclarationofAdherencewiththeCodeRequirements,and(b)takingenforcementaction against a non-compliant CISP and, where necessary, recommending suchenforcementactiontotheExecutiveBoard.

(b) ComplaintsProcess

The Complaints Committee will propose to the Executive Board rules and a process tomake,decide,appealandcommunicatetheoutcomesofcomplaintsaboutthecomplianceof services covered by a CISP's Declaration of Adherence with the Code Requirements(ComplaintsProcess).

OnceapprovedbytheExecutiveBoard,theComplaintsCommitteewillpublish,implementandadministerandkeepunderreviewtheComplaintsProcess.TheSecretariatwillpublishand maintain up to date information on the Complaints Process on the CISPE PublicRegister

ACISPEmember,acustomeroracompetentsupervisoryauthoritycanmakeacomplainttotheComplaintsCommitteeinaccordancewiththeComplaintsProcess.TheComplaintsCommitteeshall reviewanddecideon thatcomplaint inaccordancewith theComplaintsProcess.

(c) Enforcement

IfinitsfinaldecisiontheComplaintsCommitteefindsthataCISPisnon-compliantwiththeCodeRequirements,thentheComplaintsCommitteemay:

• request the CISP to take specific remediating measures within a reasonabletimeframetocomplytheCode;and

• inextremeorrepeatedcasesofnon-compliance,orincaseoffailurebytheCISPtoimplementtherequestedremediatingmeasures (atallor in time), recommendtothe Executive Board that the CISP's Declaration of Adherence be suspended orrevokedinrespectofthenon-compliantservice.

IfaCISP'sDeclarationofAdherenceissuspendedorrevoked:

• the Secretariat shall promptly remove the affected service(s) from the CISP'sDeclarationofAdherenceontheCISPEPublicRegister;

CISPE-January2017

32

• theComplaintsCommitteeshallspecifyareasonabletimeframeforwhentheCISPmuststopusingtheComplianceMarkinrespectoftherelevantservice;and

• the CISP shall stop using the ComplianceMark in respect of the relevant servicewithinthetimeframespecifiedbytheComplaintsCommittee.

Inthecaseofsuspension,thesemeasuresshallapplyuntilsuchsuspensionislifted.

Theenforcementmeasuresaboveare:

• the sole and exclusive remedies for a CISP's non-compliance with the CodeRequirements;and

• arewithoutprejudicetothecustomer’srightsunderapplicableEUdataprotectionlawortheServiceAgreement.

TheoptionforacustomertomakeacomplaintdoesnotgivethecustomeranydirectrightsorremediesagainsttheCISPorCISPEunderorinconnectionwiththeCode.

CISPE does not accept any responsibility for a CISP's compliancewith the Code.NorwillCISPEbeliabletoanypartyunderanycauseofactionortheoryofliabilityforanylossordamagesarisingfromanactoromissionofCISPEoraCISPinconnectionwiththeCode.

7.3 ReviewoftheCodeandGuidelines

(a) ReviewoftheCode

The CCTF will continue to review the Code based on changes to applicable EU dataprotectionlawand,inparticular,thecomingintoforceoftheGDPR.The CCTF shall aim to complete a full review of the Code every two years to take intoaccount legal and technological developments as well as developments to industry bestpractice.The Executive Board may initiate a specific review of the Code by the CCTF by a jointrequest to the CCTF from at least two members of the Executive Board. The ExecutiveBoardmayinitiatesuchareviewoftheirowninitiativeorbecauseithasbeenrequestedtodosoby:

• atleast10%ofGeneralAssemblymembers;• acompetentsupervisoryauthorityactinginanofficialcapacity;or• anassociationrepresentingtheinterestsofcloudinfrastructureserviceusersacting

inanofficialcapacity.

(b) ChangestotheCode

CISPE-January2017

33

After a review, the CCTFmay recommend changes to the Code to the Executive Board.ChangestotheCodemustbeadoptedbyCISPEbeforetheytakeeffect.

TobeadoptedbyCISPE,anychangetotheCodemustbe:

• presentedtotheExecutiveBoardandtheGeneralAssembly;• approvedbytheExecutiveBoard;and• adoptedbytheGeneralAssemblybyaspecialresolution.

BeforeadoptionbyCISPE,theExecutiveBoardmaydecidetosubmitachangetotheCodeforconsiderationandcommentto:

• acompetentsupervisoryauthority;and/or• anassociationrepresentingtheinterestsofcloudinfrastructureserviceusers.

As soon as practicable after a change to the Code has been adopted by CISPE, theSecretariatshallpublishanupdatedversionoftheCodeontheCISPEPublicRegister.CISPsarerequiredtoreneworre-confirmtheirDeclarationsofAdherencewithinayearoftheupdatedversionoftheCodebeingpublishedontheCISPEPublicRegister.ACISPwhoshows that its service adheres to the Code Requirements by presenting a CertificatetogetherwithitsDeclarationofAdherencemayrelyonanexistingCertificatetoshowthattheserviceadherestotheupdatedversionoftheCodewithouthavingtoundergoaneworseparateaudittoobtainanewcertificateorreport.

CISPE-January2017

34

ANNEXASecurityResponsibilities

Introduction

ThisAnnexdefinesthesecurityresponsibilitiesof(a)theCISP,and(b)thecustomerinthecontextofacloudinfrastructureservice.

TheCISPisresponsibleforthecloudinfrastructureserviceitprovidesandnotthesystemsandapplicationsdeployedbythecustomerusingthecloudinfrastructureservice,whicharethecustomer'sresponsibility.

(1) InformationSecurityManagement

(a) CISPresponsibilities

TheCISPshallhaveclearmanagement-leveldirectionandsupport for thesecurityof theservice.

TheCISP shallhave inplaceamanagement-approved setof information securitypoliciesthatgovernthesecurityoftheservice.

TheCISPshall implementan informationsecuritymanagementsystemorequivalent.Thescopeoftheinformationsecuritymanagementsystemshallcovertheservice.

TheCISPwilldesignateoneormorepersonnel tocoordinateandbeaccountable for theinformationsecuritymanagementsystem.

(b) Customerresponsibilities

Thecustomershalldesignateacustomerpointofcontactforsecurity issues inrespectofthecustomer'suseofthecloudinfrastructureservice.

The customer shall perform a risk assessment to assess the suitability of the cloudinfrastructure service for the data processing activities that the customer wishes toperformbasedonapplicableEUdataprotectionlaw.

(2) HumanResourceSecurity


TheCISPshallhaveinplaceanorganisationalstructuretomanagetheimplementationofinformation security within the CISP’s services with clearly defined roles andresponsibilities.


CISPE-January2017

35

Thecustomerissolelyresponsibleforitspersonnelandforanythirdpartywhoaccessesoruses the cloud infrastructure services provided to the customer (including withoutlimitationcontractors,agentsorendusers).

(3) UserAccessManagement


The CISP shall provide the customerwith an access controlmanagement system for thecloudinfrastructureserviceaspartoftheservice.Theaccesscontrolmanagementsystemshall include nominative accounts, role based access and passwords or otherauthenticationpolicymeans.

TheCISPisnotresponsibleforaccesssolutionsforthesystemsandapplicationsdeployedbythecustomerusingthecloudinfrastructureservice.


The customer is solely responsible for the use and configuration of the access controlmanagementsystemsprovidedbytheCISP.Thecustomershallberesponsibleforassigningaccessrightstotheappropriatepersonnel.

Thecustomerisresponsibleforaccesssolutionstothesystemsandapplicationsdeployedbythecustomerusingthecloudinfrastructureservice.

(4) Physicalandenvironmentalsecurity


TheCISPshall implementandmaintainphysicalandenvironmentalsecuritymeasures forthe cloud infrastructure servicedesigned tohelp customers securepersonaldataagainstunauthorisedprocessingandaccidentalorunlawfulloss,accessordisclosure.


Customersshallreview(a)theinformationmadeavailablebytheCISPrelatingtophysicaland environmental security in respect of the service, (b) the customer's chosenconfigurationof the service anduseof the features and controls available in connectionwiththecloudinfrastructureservice,and(c)thesecuritymeasuresthatcustomerwillputin place for the aspects of security under its responsibility, and make an independentdetermination that together thosemeasures provide an appropriate level of security fortheprocessingcustomerwillusetheservicestoperform.

(5) Physicalserversandequipment

CISPE-January2017

36


TheCISP is solely responsible for thedeployment,operationand securityofanyphysicalhardware used to provide the cloud infrastructure service, including any configurationneededfortheprovisionoftheservice.


The customer is solely responsible for managing the appropriate configuration of anysystemandapplicationdeployedbythecustomeronthecloudinfrastructureservice.

(6) Malwareprotectionmanagement


TheCISPshallimplementmalwareprotectiononsensitivesystems(i.e.commonlyaffectedortargetedsystems)thatarepartofthecloudinfrastructureservice.


The Customer is responsible for malware protection management on the systems andapplicationsdeployedbythecustomerusingthecloudinfrastructureservice.

(7) Vulnerabilitymanagement


The CISP shall define the level of engagement (distribution of tasks betweenCISP, delaybetweenpatchandpatching,etc.)forthecloudinfrastructureservice.


The Customer is responsible for vulnerabilitymanagement the systems and applicationsdeployedbythecustomerandhostedonthecloudinfrastructureservice.

(8) LoggingandMonitoring


The CISP shall provide the customer with monitoring (e.g. level, scope, reporting,interfaces,API)andlogging(e.g.access,records,durationofrecording)toolsforthecloudinfrastructureservice.


The customer is solely responsible for the use and configuration of themonitoring and

CISPE-January2017

37

loggingtoolsprovidedbytheCISP.

(9) Equipmentend-oflife


TheCISPshallconductastoragemediadecommissioningprocesspriortofinaldisposalofstorage media used to store customer data. The decommissioning process will beconducted in accordance with industry standard practices designed to ensure thatcustomerdatacannotberetrievedfromtheapplicabletypeofstoragemediabyanydataorinformationretrievaltoolsorsimilarmeans.


Customersshallreview(a)theinformationmadeavailablebytheCISPrelatingtostoragemediadecommissioning,(b)thecustomer'schosenconfigurationoftheserviceanduseofthefeaturesandcontrolsavailableinconnectionwiththecloudinfrastructureservice,and(c)thesecuritymeasuresthatcustomerwillputinplacefortheaspectsofsecurityunderits responsibility, andmakean independentdetermination that together thosemeasuresprovideanappropriatelevelofsecurityfortheprocessingcustomerwillusetheservicestoperform.

CISPE-January2017

38

ANNEXB

TemplateDeclarationofAdherence

This is a Declaration of Adherence ("Declaration") with the Data Protection Code ofConductforCloudInfrastructureServiceProviders(the"Code").Unlesstheyareotherwisedefined,capitalisedtermsusedinthisDeclarationwillhavethemeaninggiventothemintheCode.1. ServicescoveredbythisDeclaration

ThisDeclarationcoversthecloudinfrastructureservice(s)below(the"Services").IfthisDeclaration is beingmade formore than one service, please include details for eachservicebelow.

ServiceName

(WillappearonCISPEPublicRegister)

Furtherinformation

(OptionalandwillnotappearonCISPEPublicRegister)

Service1 [Insert] [Insert]

Service2 [Insert] [Insert]

etc

2. CISPmakingtheDeclaration

ThisDeclarationshouldbemadebyanentitywhichisasellerofrecordoftheService(s)(the "CISP"). If thisDeclaration is beingmadebymore thanoneCISP, please includedetails for each CISP below and in the declaration at Section 5. This informationwillappearontheCISPEPublicRegister.

Legalname Address

SellerofRecord1 [Insert] [Insert]

SellerofRecord2 [Insert] [Insert]

etc

3. SupportfortheDeclarationprovidedbytheCISP

ThisDeclarationissupportedby:� Certificationbyanindependentthirdpartyauditor.� Aself-assessmentbytheCISP.

CISPE-January2017

39

Your choicewill determinewhichComplianceMark theCISP is eligible touse for theService(s).

4. Auditable Code Requirements (for Declarations supported by certification by anindependentthirdpartyonly)

The Code Requirements in Table A are the Auditable Code Requirements. Pleasecomplete Table A for each Auditable Code Requirement and attach copies of allreferencedCertificates.Please indicate if Certificate(s) only apply to specific Services. If you are relying ondifferent Certificates for different services, youmay complete Table A separately foreachService.

5. Declaration

BysigningbelowtheCISP(s)confirmsthat:(a) asofthedateofthisDeclarationtheServicesadheretotheCodeRequirements;

(b) the CISPwill complywith the complaints and enforcement procedures in Section7(Governance)oftheCode;and

(c) if any change to the Service(s) or the Code means a material update to thisDeclarationisrequired,then(i)theCISPmustpromptlynotifytheSecretariat,and(ii)cooperatewiththeSecretariattoupdatethosematerials.

[CISP1NAME]

By: _____________________Name: _____________________Title: _____________________Date: _____________________

[CISP2NAME]

By: _____________________Name: _____________________Title: _____________________Date: _____________________

CISPE-January2017

40

TableA

AuditableCodeRequirementsServicescovered:[Insert]Codereference

AuditableCodeRequirement Auditstandard(s) Controlmappingorreference(s)

Date Thirdpartyauditor(s)used

Attachment(s)

5.3(a) Securitymeasures [Insert] [Insert] [Insert] [Insert]

5.3(b) Informationsecurityprogram [Insert] [Insert] [Insert] [Insert]

5.3(c) Continuedevaluation [Insert] [Insert] [Insert] [Insert]

AnnexA(1) InformationSecurityManagement [Insert] [Insert] [Insert] [Insert]

AnnexA(2) HumanResourceSecurity [Insert] [Insert] [Insert] [Insert]

AnnexA(3) UserAccessManagement [Insert] [Insert] [Insert] [Insert]

AnnexA(4) Physicalandenvironmentalsecurity [Insert] [Insert] [Insert] [Insert]

AnnexA(5) Physicalserversandequipment [Insert] [Insert] [Insert] [Insert]

AnnexA(6) Malwareprotectionmanagement [Insert] [Insert] [Insert] [Insert]

AnnexA(7) Vulnerabilitymanagement [Insert] [Insert] [Insert] [Insert]

AnnexA(8) LoggingandMonitoring [Insert] [Insert] [Insert] [Insert]

CISPE-January2017

41

AnnexA(9) Equipmentend-oflife [Insert] [Insert] [Insert] [Insert]

6.2 Ahighlevelstatementonthesecurityobjectivesandstandardsthatapplytotheservice

[Insert] [Insert] [Insert] [Insert]

6.3 Information on the design andmanagement oftheservice


6.4 Information validating the risk managementprocessesandcriteriaoftheCISP


6.5 Information on the security measuresimplementedbytheCISPfortheservice


6.6 Assurance documentation covering the CISP'sinformationsecuritymanagementsystem


2.g. code of conduct - 27 january 2017 - cispe · pdf filecispe - january 2017 1 data...

Documents