Verifying GDPR requirements: OCI adheres to the EU Code of Conduct Level 2

August 5, 2022 | 4 minute read
Christy Thomas
Senior Program Manager
Text Size 100%:

For both individuals and organizations, data is your most valuable asset. Ensuring the security, integrity, availability, and confidentiality of your data is of the utmost importance. Data protection is a top priority for Oracle, and we actively take steps to help ensure that customers have the tools they need to protect their data.

Many privacy frameworks aim to implement data protection standards, but with the rapid adoption of cloud technology that stores, processes, and transmits data, cloud customers need to consider data safeguards within the cloud shared responsibility model. Here, the European Union Privacy Cloud Code of Conduct (EU CoC) comes into play. The European Data Protection Board (EDPB) has issued a favorable opinion, stating that the EU “CoC facilitates effective application of the European General Data Protection Regulation (GDPR)” requirements.

As a founding member of the EU CoC, Oracle is pleased to announce the completion of the Oracle Cloud Infrastructure (OCI) EU CoC Level 2 assessment. Oracle’s adherence to the framework has been verified by an independent auditor, and the result has been published in the EU CoC public register, meaning that OCI’s suite of services adheres to the stringent EU CoC requirements.

What is the European Union Code of Conduct?

Let’s review some key details about the EU CoC framework and what it’s trying to accomplish for the GDPR.

Often referred to as “the Code,” the EU CoC is a set of requirements that enable cloud service providers to demonstrate their capability to comply with GDPR. It provides cloud-specific approaches and recommendations for monitoring compliance with the Code, including a roadmap that tracks Code requirements to GDPR and other international standards, such as ISO/IEC.

The Code is supported by a controls catalog that maps the requirements of the Code to auditable elements (controls) and corresponding provisions of the GDPR and international standards. These controls are designed to ensure that appropriate technical and organizational security measures are in effect and encompass significant aspects of data protection, such as data transfers and data subject rights.

EU CoC Level 2 compliance relies on independent third-party audits and certifications, such as ISO/IEC 27001, 27701, 27017, and 27018, to supplement OCI’s attestation of adherence to the Code. Oracle controls have been verified by the monitoring body, SCOPE Europe, and found to be compliant with Level 2 requirements.

SCOPE Europe is a Belgian non-profit association supporting the coregulation of the information economy. It was founded in February 2017 as a subsidiary of the German non-profit-organization SRIW e.V. (Selbstregulierung Informationswirtschaft, Self-Regulation Information Economy). In May 2021, it became the first monitoring body to be accredited as a monitoring body for the Code, under Article 41 of the GDPR and the corresponding Guidelines on Codes of Conduct and Monitoring Bodies under Regulation issued by the EDPB.

What does the EU CoC mean for customers?

Now that we’ve covered what the EU CoC is, let’s dive into what this declaration of compliance means for you.

In the context of GDPR, Oracle is a data processor, and you as a customer remain the data controller. However, Article 28 of the GDPR states that “the controller shall use only processors providing sufficient guarantees.”  Good news: OCI’s adherence to the Code can be used to demonstrate “sufficient guarantees” and can act as a risk-mitigating measure during a Data Protection Impact Assessment (DPIA), under Article 35 in the GDPR.

The Code has been approved by the EDPB as the first privacy code under the GDPR for cloud service providers. Oracle’s adoption of the Code provides a framework for you to assess that our cloud services help provide adequate privacy protection under the GDPR.

Oracle Cloud EU Code of Conduct
EU Cloud CoC Verification-ID: 2022LVL02SCOPE4214

Oracle’s ongoing commitment to data privacy

Oracle continues to invest in products and services that support the security, privacy, and compliance needs of our customers. The EU CoC is yet another way to demonstrate our commitment to the GDPR data protection requirements. We also offer the following resources for customers looking to learn more about Oracle’s approach to privacy and compliance:

We’re deeply committed to making our customers successful in the cloud. Contact one of our representatives for more information on using Oracle Cloud in the European Union.

Christy Thomas

Senior Program Manager

Previous Post

Updates to the OCI CAF Security Pillar deliver enhanced documentation for multi-layered cloud security

Fabio Bonisoli | 3 min read

Next Post

Announcing GraalVM Enterprise in OCI Code Editor and Cloud Shell

Sachin Pikle | 3 min read