The CISPE Code of Conduct

CISPE (Cloud Infrastructure Services Providers in Europe) is a coalition of cloud computing leaders serving millions of European customers. The CISPE Data Protection Code of Conduct (CISPE Code) is the first pan-European data protection code of conduct for cloud infrastructure service providers under Article 40 of the European Union’s General Data Protection Regulation (GDPR). It was approved by the European Data Protection Board (EDPB) in May 2021 and formally adopted by the French Data Protection Authority (CNIL), acting as the competent supervisory authority, in June 2021.

The CISPE Code assures organizations that their cloud infrastructure service provider meets the requirements applicable to a data processor under the GDPR. This gives cloud customers additional confidence that they can choose services that have been independently verified for their compliance with the GDPR.

The CISPE Code goes beyond GDPR compliance by requiring cloud infrastructure service providers to give customers the choice to select services that store and process customer data exclusively within the European Economic Area. Cloud infrastructure service providers must also commit that they will not access or use any customer data, except as necessary to provide and maintain the declared services. In particular, the cloud infrastructure service providers must commit to not use customer data for their own purposes, including for data mining, profiling or direct marketing. Ernst and Young CertifyPoint (EYCP) independently certified AWS services listed on the CISPE Public Register complying with the CISPE Code. EYCP was the first "monitoring body" accredited by CNIL to verify cloud infrastructure provider's compliance with the CISPE Code.

Currently, 107 AWS services are certified as compliant with the Cloud Infrastructure Services Providers in Europe (CISPE) Data Protection Code of Conduct. This alignment with the CISPE requirements demonstrates our ongoing commitment to adhere to the heightened expectations for data protection by cloud service providers. AWS customers who use AWS certified services can be confident that their data is processed in adherence with the European Union’s General Data Protection Regulation (GDPR).

AWS supports more security standards and compliance certifications than any other cloud provider, and we are continuously reviewing the needs of our customers as the regulatory environment evolves. The CISPE Code provides an added level of assurance to our customers that AWS Cloud services can be used in compliance with the GDPR and addresses our customers’ compliance requirements today.