Skip to content
Beltug
  • About
    • Our members
    • Beltug team
    • Contact
  • Agenda
  • Library
    • Papers
    • Presentations
    • Partner papers
  • Impact
  • News
  • Log in
  • Become a member

More results...

Generic filters
Beltug
  • About
    • Our members
    • Beltug team
    • Contact
  • Agenda
  • Library
    • Papers
    • Presentations
    • Partner papers
  • Impact
  • News
  • Log in
  • Become a member

Beltug recommendations for your SaaS negotiations: SWIPO and the SaaS CoC

Negotiating contracts with Cloud Service Providers is a complex yet critical endeavour for organisations. As the ‘voice of the business user’, we are committed to keeping our members well-informed and prepared. Together with our sister associations Cigref (France), CIO Platform (Netherlands) and VOICE e.V. (Germany), we have put together concrete Recommendations plus a Data Portability Questionnaire, based around the recently published SaaS Code of Conduct (CoC) from SWIPO.

18 / 11 / 20

Downloads
  • SWIPO - observations and recommendations Beltug - Cigref - CIO - VOICE
Overcoming roadblocks to porting your data

SWIPO (SWitching from provider and POrting non-personal data) is the name for the working groups, comprising users and providers, set up to address EU Regulation 2018/1807 on the free transfer of non-personal data in the EU. One goal of the Regulation is to resolve the legal, contractual and technical roadblocks that make it difficult or impossible for companies using data processing services, to port their data from one service provider to another, or even back to their own systems.

The SWIPO working groups are drafting self-regulating ‘Codes of Conduct’ to address these roadblocks. These codes should define best practices and information requirements that reduce vendor lock-in, by making it smoother to switch providers and simplifying data porting. And they should ensure that Cloud Service Providers supply business users with detailed, clear and transparent information before signing a contract for data storage and processing.

The general SWIPO Principles
  1. Switching between service providers and data porting must be possible, effective, not cost consuming, and easy.
  2. The ability to port data without hindrance is a key factor in facilitating user choice and effective competition on markets for data processing services. [Consideration 29]
  3. In order to take full advantage of the competitive environment, professional users should be able to make informed choices and to easily compare the individual components of various data processing services offered in the internal market, including in respect of the contractual terms and conditions of porting data upon the termination of a contract. [Consideration 30]
  4. Trust enhancement in the security of cross-border data processing is a key factor to improve the legal certainty for companies as regards compliance with the applicable security requirements when organisations outsource their data processing activities to service providers, including to those in other Member States. [Consideration 33]
  5. All security requirements related to data processing that are applied in a justified and proportionate manner on the basis of Union or national law in compliance with Union law in the Member State of residence or establishment of the natural or legal persons whose data are concerned, will continue to apply to processing of that data in another Member State. [Consideration 34]

(Source: SWIPO Common Scope and Approach Version 0.10 10 June 2019, our bold and references to the corresponding considerations of the Regulation.)

The above principles do not appear in the 2020 version of the document. This is very unfortunate, as they could be inspirational for the future evolution of the Code of Conduct.

CoC for SaaS and IaaS: strengths and gaps

So far, Codes of Conduct (CoC) have been created for SaaS and IaaS (you can find them on the SWIPO website). They cover several important details, for example the current version of the SaaS CoC handles the technical aspects of porting rather adequately.

However, there are a number of gaps: it does not assure data export for interoperability, nor porting at all time; it does not assure data export in case of organisational change; it does not address cost moderation; it does not protect users from unilateral changes in contract terms; and more.

Our recommendations and observations

While Beltug and our sister organisations do encourage Cloud Service Providers to adhere to the CoC, this in itself is not enough for users to be confident that all of their needs are being met.

‘SWIPO. A new Code of Conduct for data import and data export for SaaS Suppliers: Observations and recommendations’ explains the background of SWIPO, provides observations on the strengths and gaps of the CoC, and gives recommendations on what your organisation can do when preparing tenders, and negotiating with Cloud Service Providers. This includes a Data Portability Questionnaire (linked in the Recommendations) that you can use with providers who do and who do not adhere to the SaaS CoC.

We encourage you to share this document with all those involved in the selection of a SaaS application: business project leads, technical staff, buyers, contract drafters and legal counsellors.

  • cloud
  • Code of Conduct
  • security
  • SWIPO
Return to impact
Beltug logo, white transparent

Belgian association of CIOs and digital technology leaders.

info@beltug.be +32 3 780 17 30 Contact us
  • Beltug team
  • Our members
  • Subscribe to our newsletter
© 2023 - Flux
Privacy Policy | Cookie Policy

Login

X
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking 'Accept', you consent to the use of ALL the cookies. However, you may visit 'Cookie Settings' to provide a controlled consent.

Read MoreCookie Settings Accept
Manage consent

Cookie policy and overview

This website uses cookies to improve your experience while you navigate through the website.

Out of these, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website.
We also use first-party cookies that help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

In our cookie policy you can read more about the most frequently used cookies and their usage.

Beltug is a not-for-profit association for its members and through its members. These analytical cookies related to our website help us to base our initiatives and your experiences on your preferences. So before refusing all cookies, would you consider accepting the analytical cookie category?

Third party cookies are activated with your consent only but are not processed by Beltug. Contents of these cookies is only processed by the third party that activates them.

Modifying cookie preferences

Cookie preferences are set when you visit our website for the first time through this pop-up window that is automatically displayed on your screen.

You can modify your preferences at any time by clicking the ‘Manage consent’ button in the bottom right corner of each page. Any modification has an immediate effect.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
_wordpress_test_cookie, test_cookiesessionWordPress sets this cookie when you navigate to the login page. The cookie is used to check whether your web browser is set to allow, or reject cookies.
CONSENTuntil you remove itThe cookie is set by the GDPR Cookie Consent WordPress plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. When Consent has been given the cookie is used to store the user consent for the cookies in the category 'Analytics'.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category 'Necessary'.
PHPSESSIDsessionThis cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
WordPress_clef_session, _wordpress_cleff_state1 yearThis WordPress cookie is necessary to use the administrator zone (only for administrators).
wp-settings-1, wp-settings-time-11 yearWordPress uses this cookie to customize your view of the admin interface, and possibly also the main site interface.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc and are only activated with your consent.
CookieDurationDescription
_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report.
_gat_gtag1 minuteSet by Google to distinguish users.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit.
Third Party
Third-party cookies are those created by domains other than the one the user is visiting at the time, and are mainly used for tracking and online-advertising purposes. They also allow website owners to provide certain services, such as live chats and are only activated with your consent.
CookieDurationDescription
IDE1 year 24 daysUsed by Google DoubleClick to register and report the website user’s actions after viewing or clicking one of the advertiser’s ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
VISITOR_INFO1_LIVE5 months 27 daysA cookie that YouTube sets that measures your bandwidth to determine whether you get the new player interface or the old.
YSCto be removed by youRegisters a unique ID to keep statistics of what videos from YouTube the user has seen. This cookie expires when you close your browser.
yt-remote-connected-devicesto be removed by youStores the user’s video player preferences using embedded YouTube video.
yt-remote-device-idto be removed by youStores the user’s video player preferences using embedded YouTube video.
Save & Accept