What Is CSA’s Code of Conduct for GDPR Compliance?

Want more content?

By subscribing to our mailing list, you will be enrolled to receive our latest blogs, product updates, industry news, and more!

Quick Hits: 
  • CSA’s Code of Conduct for GDPR compliance is a comprehensive framework for meeting the EU’s General Data Protection Regulation.
  • This self-assessment has several benefits for businesses, such as providing a compliance resource and transparency guidelines regarding a cloud service provider’s data protection level.
  • Cloud Security Alliance (CSA) is the world’s leading organization that helps define and raise awareness of the best security practices to ensure a secure cloud computing environment.
What Is CSA’s Code of Conduct for GDPR Compliance? 

Cloud Security Alliance (CSA) offers a Code of Conduct (CoC) for the European Union’s (EU) General Data Protection Regulation (GDPR) compliance. This self-assessment is a reliable and comprehensive legal framework to help B2B businesses and Data Protection Officers using cloud services comply with the EU’s GDPR. The CSA CoC is designed to ensure transparency and compliance with GDPR. The CoC’s goals are to:  

  • Offer cloud service providers an effective resource to reach GDPR compliance and demonstrate it through either self-attestation or third-party assessment.  
  • Offer cloud customers a tool to evaluate a CSP’s level of data protection compliance. 
  • Establish additional value for CSPs, cloud customers, data subjects, and the cloud community: 
  • Identify relevant GDPR provisions for CSPs. 
  • Explain the purpose and relevance of these provisions when applied to cloud computing. 
  • Improve data protection and privacy in cloud computing by implementing additional controls. 
  • Create a CoC with enforceable obligations for all CSPs acting as controllers or processors.  

The CSA CoC includes six pillars, which are game-changers for data protection: 

1. Principle of Accountability

2. Principle of Transparency

3. Risk-based Approach to Compliance

4. Right to Be Forgotten and Data Portability

5. Sanctions and Enforcement

6. Data Subject Remedies  

CSPs can use the CSA CoC regarding one or more services they provide. Additionally, the CoC can be used or referenced as an appendix to a service agreement.   

 CSA CoC Self-Assessment 

Independent legal experts formally review self-assessments. The compliance mark is valid for 1 year and must be revised any time there is a change to a CSP’s policies or practices related to cloud services under assessment. With this approach, CSPs may still need to undergo third-party auditing upon request.  

CSA Third-Party Assessment 

A Qualified CoC Auditing partner conducts third-party assessments. This assessment’s compliance mark is also valid for 12 months and must be revised whenever there is a change to the company’s policies or practices regarding services under evaluation. Furthermore, this validation process aims to verify that the Privacy Level Agreement (PLA) Code of Practice (CoP) requirements have been implemented correctly and that the CoP template information is accurate. The PLA Working Group is responsible for providing expert opinions to CSA regarding any complaints received. 

Why Was This Self-Assessment Created? 

This CSA self-assessment was established to help CSPs achieve GDPR compliance and provide proof that a CSP is compliant with GDPR and follows best practices for security and data protection. “The Code of Conduct is an important resource for us to build trust with clients and show that our organization prioritizes complying with GDPR privacy regulations,” TokenEx GRC Manager Marc Phillips said. “We believe it to be a helpful addition to our PCI, SOC2, and ISO27001 certifications.”  

Why Is This Self-Assessment Important? 

The CoC is a vital resource that helps cloud service providers determine the level they need to protect customer data. Further, this self-assessment can help customers evaluate a CSP’s security and compliance status. Indeed, customers can be confident that CSPs who complete this assessment are following best practices for data protection, security, and compliance. Co-founder and CEO of CSA, Jim Reavis, says it best: “There are few better ways to showcase your commitment to privacy than CSA’s Code of Conduct for GDPR Compliance.” 


“Accountability and transparency are fundamental pillars of good governance and risk management,” Daniele Catteddu, CTO at Cloud Security Alliance, said. “Building an accountability program is key for each organization that wants to achieve compliance with both internal and external requirements, such as for instance, the European GDPR. The CSA Code of Conduct for GDPR, and the STAR Program, more in general, have been created to be a strategic tool to help shape the security and privacy assurance, compliance, and accountability program of an organization. An organization that adheres to the STAR Program, by satisfying the security requirements of the Cloud Control Matrix, and the privacy requirements of the CSA GDPR CoC (PLA Code of Practice), shows a commitment toward assurance and transparency to both the customers, data subjects and regulators.”

Daniele Catteddu

Chief technology Officer | csa


Benefits of CSA’s CoC for GDPR Compliance 

Using CSA’s Code of Conduct for GDPR compliance has several benefits. Here are a few:  

  • Completeness – CSA can guide CSPs of any size and location on how to comply with the EU’s personal data protection law and reveal the level of personal data protection offered to customers.
  • Flexibility – CSA’s CoC can be applied to any cloud delivery model, including IaaS, PaaS, and SaaS
  • Rigor – The CoC offers a consistent and proven template to meet the strict GDPR requirements.
  • Transparency – This self-assessment makes it easy for cloud customers to understand how their personal data is stored, processed, and handled by providing a transparent view of what a CSP is doing.
  • Utility – Cloud customers can use this CoC to determine the level of personal data protection that various cloud service providers offer users.

CoC for Cloud Service Providers: 

  • It provides proof of GDPR compliance. 
  • It simplifies the contracting process and accelerates sales cycles. 
  • It offers assurance to cloud customers of data privacy in combination with CSA’s STAR. 
  • It can be used for CSPs acting as data processors and data controllers. 
  • It fully complies with GDPR by linking legal to technical requirements through CoC and CSA Security, Trust, Assurance, and Risk (STAR) Levels 1 and 2. 

CoC for Enterprises: 

  • It simplifies the contracting process. 
  • It decreases the time needed for internal legal reviews. 
  • It emphasizes critical topics and contracting terms for internal discussion and external negotiation to help customers make informed decisions about a CSP. 
  • Offers enterprise legal teams with proven frameworks for GDPR compliance when contracting for cloud services. 
About Cloud Security Alliance 

Cloud Security Alliance (CSA) is the world’s leading organization that helps define and raise awareness of the best security practices to ensure a secure cloud computing environment. CSA leverages subject matter expertise from industry practitioners, associations, governments, and its corporate and individual members to provide cloud security-specific research, education, certification, events, and products. Visit CSA’s resource center for additional information about its CoC for GDPR compliance 

How to Maintain GDPR Compliance 

No matter what type of data you need to protect, adhering to data protection laws is vital. The TokenEx Data Protection platform is built to protect your sensitive data from theft. For over a decade, we have helped clients across the globe protect what matters most while enabling their critical business operations. Contact TokenEx today to learn more about how we can help your business achieve GDPR compliance, secure your sensitive data, and more.