Meeting data protection requirements with the cloud

In this article, you will learn

• which data protection certifications cloud users should look for,
• the certification strategy followed by the Open Telekom Cloud,
• and which additional agreements are important for professionals bound by confidentiality or involved in processing social data.

One of the most fundamental and frequently asked compliance questions regarding the cloud is:  "Can personal data be processed in the cloud?" or "How is data protection handled in the cloud?"

Since 2018, the EU GDPR (General Data Protection Regulation) has been the central framework for data protection in Europe. In response, SCOPE Europe—together with cloud providers and EU authorities—developed a code of conduct: the EU Data Protection Code of Conduct for Cloud Service Providers, commonly referred to as the EU Cloud Code of Conduct (EU Cloud COC). The purpose of the EU Cloud COC is to ensure consistent application of European data protection standards in cloud computing, in line with the GDPR.

The EU Cloud COC defines the rights and obligations concerning the handling of personal data in the cloud. It specifically refers to Articles 28 and 40 of the GDPR. Article 28 regulates personal data processing in outsourcing scenarios (such as cloud services) and sets clear rules for cloud service providers. Article 40 allows industries (like cloud providers) to support GDPR compliance by establishing their own codes of conduct.  

For years, the EU Cloud COC was one of the most prominent proofs of a cloud provider’s GDPR compliance. Regular audits by independent bodies make it a reliable and binding quality assurance tool. Over time, additional certifications and attestations have emerged, further confirming compliance with data protection requirements. Among these, ISO/IEC 27018 and ISO/IEC 27701 are particularly noteworthy. From a customer perspective, ISO 27701 has recently gained prominence. This accredited certification confirms that the cloud provider has implemented and continues to improve a Privacy Information Management System (PIMS). 

Most recently, in July 2025, SCOPE Europe again certified the Open Telekom Cloud under the EU Cloud COC. "This reconfirms that the Open Telekom Cloud fully meets the requirements of the EU GDPR," explains Daniel Fussy, a certification expert at Open Telekom Cloud. In addition, the Open Telekom Cloud holds certification under ISO 27701. 

For special use cases and professional groups with stricter data protection needs than those set by the GDPR, the Open Telekom Cloud also offers legally binding commitments under § 203 of the German Criminal Code (StGB) and § 35 of the German Social Code I (SGB I). These enable the cloud to be used for processing social data or by professionals with confidentiality obligations.

For a long time, the EU Cloud COC was seen as the gold standard in data protection. "But today, most of our customers are requesting ISO 27701 as proof of our data protection compliance," says Fussy. As a result, the Open Telekom Cloud has decided not to renew its EU Cloud COC certification after 2025. "The Code of Conduct has served both us and our customers well over the years," he adds. However, due to changes in the legal landscape, demand for it has declined. It is foreseeable that ISO 27701 will establish itself as the new standard over the next two to three years. But even that may change. A new player is gaining attention in the data protection landscape: AUDITOR, formerly known as GDPR CC. With AUDITOR, the first certification under Article 42 of the EU GDPR is emerging—one that also offers legal enforceability.

Although AUDITOR is not yet widely requested, it provides a higher level of binding assurance for cloud users regarding GDPR compliance. “As the Open Telekom Cloud team, we intend to take a closer look at AUDITOR and, if appropriate, start the certification process,” says Fussy.