I’m announcing that Azure has achieved adherence to the EU Cloud Code of Conduct (EU Cloud CoC), developed for cloud providers to align with the EU’s General Data Protection Regulation (GDPR). The EU Cloud CoC is the first GDPR code of conduct that has received the European Data Protection Board (EDPB) positive opinion, which was followed by final approval led by the Belgian Data Protection Authority. The EU Cloud CoC also marks the 100th compliance offering for Azure, more than any other cloud provider, providing customers a high level of assurance through controls, evidence, and verification.
The EU Cloud CoC serves as a basis for implementing the requirements of Article 28 of the GDPR for cloud providers acting as business-to-business processors under the GDPR. Because the EU Cloud CoC is approved by the EDPB, Azure customers can use Azure’s adherence to help demonstrate their own GDPR compliance, as well as cite it as a risk mitigator in a GDPR Data Protection Impact Assessment (DPIA). Article 40 of the GDPR specifically encourages the creation of codes of conduct, so as “to contribute to the proper application of the regulation.” SCOPE Europe acts as the independent monitoring body of the EU Cloud CoC.
“This verification of adherence for over 140 Azure services shows the broadness and robustness of our monitoring scheme, which applies strong safeguards to ensure that declared services are meeting all requirements set out in the Code. With the support of key companies like Microsoft, and now with its final approval, the EU Cloud Code of Conduct has solidified its position as an unparalleled market standard capable of ensuring GDPR compliance while fostering continuous innovation and growth.”—Jörn Wittmann, Managing Director, SCOPE Europe
Microsoft Azure services are verified compliant with the EU Cloud CoC, Verification-ID: 2021LVL02SCOPE116. For further information please visit the EU Cloud CoC Public Register.
Microsoft has long demonstrated our commitment to meet and exceed the requirements of EU data protection laws. For instance, we were the first major technology company to affirm our compliance with the GDPR and to extend core GDPR rights and protections to our consumer customers globally—not just to those in the EU. Earlier this month, we announced the EU Data Boundary for the Microsoft Cloud, which by the end of 2022 will go beyond our existing data storage commitments and enable commercial or public sector customers in the EU to process and store all of their data in the EU.
Microsoft submitted Azure’s attestation of adherence to the EU Cloud CoC based on facts submitted to SCOPE Europe, relying on third-party audits from three widely-regarded certifications: ISO/IEC 27001 (Information Security Management System), ISO/IEC 27701 (Privacy Information Management System), and ISO/IEC 27018 (Cloud Privacy), which are foundational to Azure security and compliance. Customers and evaluators can verify Azure’s adherence to these and other security and privacy standards, such as SOC 1-3, FedRAMP, NIST 800-53 HITRUST, and PCI DSS in Azure Security Center. Azure combined certifications and offer hundreds of built-in security controls—such as authentication, access, encryption, and logging—that are mapped to these standards.
Now with 100 compliance offerings, Azure has the industry’s broadest and deepest compliance portfolio. Azure compliance offerings are truly global, with over 60 offerings specific to over 20 regions and countries, including Argentina, Australia, Belgium, Canada, China, Denmark, EU, France, Germany, India, Japan, Korea, the Netherlands, New Zealand, Poland, Singapore, Spain, Switzerland, the UAE, the United Kingdom, and the United States. Azure is also built for the specific needs of key industries and complies with over 50 compliance offerings specific to the health, government, finance, education, manufacturing, and media industries.