The EU institutions, bodies and agencies (“the EU institutions”) have been considering the use of cloud computing services because of advantages such as costs savings and flexibility gains. They are nevertheless faced with the specific risks that the cloud computing paradigm involves and remain fully responsible regarding their data protection obligations. For cloud services, the EU institutions should ensure an equivalent level of protection of personal data as for any other type of IT infrastructure model. These Guidelines aim at providing practical advice and instructions to the EU institutions to comply with Regulation (EC) No. 45/2001. As a legislative process is currently underway to integrate the principles of the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”) into the data protection rules for EU institutions, the new concepts are taken into account in these guidelines, referring to the relevant GDPR provisions. After adoption of the new data protection Regulation for EU institutions, an updated version will be published. The Guidelines provide recommendations and indicate best practices to implement accountability for personal data protection by helping to assess and manage the risks for data protection, privacy and other fundamental rights of individuals whose personal data are processed by cloud-based services. They collect and consolidate the advice the European Data Protection Supervisor (EDPS) has been giving the EU institutions in the last years, e.g. regarding the first inter-institutional tenders. These Guidelines outline the approach that EU institutions should take to adequately protect personal data when assessing the option of using cloud computing services for their IT systems. The specific risks brought about by the cloud computing model, which includes and often magnifies those entailed in service outsourcing, must be identified and managed and relevant safeguards put in place. The EDPS considers the best practices listed hereafter as a reference when assessing compliance with the Regulation. EU institutions may choose alternative, equally effective, measures other than the ones presented in this paper taking into account their specific needs. In this case they will need to demonstrate how these measures lead to an equivalent protection of personal data. While these Guidelines are aimed at the DPOs, DPCs, IT and IT security staff and other administrative services of EU institutions involved in designing, planning and procuring cloud computing services, other organisation interested in data protection and cloud computing might find them useful, too. EU institutions should perform an assessment of the data protection impact of the planned cloud services on the data they will process. If the assessment shows that the EU institution can in principle adopt safeguards to mitigate the risk to an acceptable level, then the EU institution should consider the resulting requirements and use them as input for the procurement specifications. In case of a negative outcome of the assessment, the EU institutions should change plans and either consider less risky cloud computing services or overall abandon the cloud option. The Guidelines focus on: – the assessment of the appropriateness of the cloud computing option; – how data protection requirements should be taken into account in the identification and choice of the cloud computing option in the procurement process; – a baseline of relevant organisational and technical safeguards, with a stress on contractual terms. The identification and assessment of general cloud specific risks is presented in an annex. Particular emphasis is given to contracts for the provision of cloud computing services. Guidance is also given on the operation of cloud services and Service Level Agreements, which can also be used to detail the IT security requirements. The contractual agreements should also integrate requirements for service terminations, including safe return of the data or portability to another service provider.