The Cloud Infrastructure Service Providers (CISPE) has published a Code of Conduct for data protection. This Code of Conduct (Code) focusses on IaaS providers. The purpose of the Code is to guide customers in assessing whether cloud infrastructure services are suitable for the processing of personal data that the customer wishes to perform. The Code consists of a set of requirements for CISPs as data processors in Section 4 (Data Protection Requirements) and Section 5 (Transparency Requirements) (together the Code Requirements). It also includes a governance structure at Section 7 (Governance) that aims to support the implementation, management, and evolution of the Code.
The WP 29 has considered the Code in light of the GDPR requirements, however it is currently only giving nonbinding recommendations. A final assessment in light of the GDPR cannot be pursued until the implementation of the GDPR on 25 May 2018. If an assessment under the regulations of the GDPR is desired, the Code has to be submitted again.