Additional criteria and certifications

Additionally, some other criteria and certifications will be accepted in DOME, although will not be required to achieve any level. These criteria (through self-attestation) or/and certifications will be visible in the offering compliance profile but won’t have influence in the compliance levels. 

EUROPEAN CONTROL

EC-1: The Provider shall provide the option that all Customer personal data are processed and stored exclusively in EU/EEA. 

EC-2: The relevant offering shall process and store all Customer personal data exclusively in the EU/EEA.

EC-3: If the Provider or any of its subcontractors is subject to legal obligations to transmit or disclose Customer personal data on the basis of a non-EU/EEA statutory order, the Provider shall have verified safeguards in place to ensure that any access request is compliant with EU/EEA/Member State law. 

EC-4: The Provider’s registered head office, headquarters and main establishment shall be established in a Member State of the EU/EEA. 

EC-5: The Provider’s registered head office, headquarters and main establishment shall be established in a Member State of the EU/EEA. Shareholders in the Provider, whose registered head office, headquarters and main establishment are not established in a Member State of the EU/EEA shall not, directly or indirectly, individually or jointly, hold control of the provider. Control is defined as the ability of a natural or legal person to exercise decisive influence directly or indirectly on the CSP through one or more intermediate entities, de jure or de facto. (cf. Council Regulation No 139/2004 and Commission Consolidated Jurisdictional Notice under Council Regulation (EC) No 139/2004 for illustrations of decisive control).

EC-6: In the event of recourse by the Provider, in the context of the services provided to the Customer, to the services of a third-party company - including a subcontractor - whose registered head office, headquarters and main establishment is outside of the European Union or who is owned or controlled directly or indirectly by another third-party company registered outside the EU/EEA, the third-party company shall have no access over the Customer personal data nor access and identity management for the services provided to the Customer. The Provider, including any of its sub-processors, shall push back any request received from non-European authorities to obtain communication of Customer personal data relating to European Customers, except if request is made in execution of a court judgment or order that is valid and compliant under Union law and applicable Member States law as provided by Article 48 GDPR. 

EC-7: The Provider must maintain continuous operating autonomy for all or part of the services it provides. The concept of operating autonomy shall be understood as the ability to maintain the provision of the cloud computing service by drawing on the provider’s own skills or by using adequate alternatives.