The essential characteristics of cloud computing such as elasticity or broad network access provide many economic benefits for their users, but with these benefits also many security and privacy risks come along. These risks can be generally classi ed into legal and technical risks. The upcoming general data protection regulation by the European Commission (COM (2012) 11) strengthens the consumer’s rights with changes like a single set of European rules and more data protection obligations for organizations. Once the general data protection regulation becomes eff ective, organizations will have to ful ll more requirements to comply with the law, especially in situations of security breaches or issues about the life cycle and the processing of data. In this paper we describe a framework for the evaluation of cloud service providers in regard to the upcoming EU data protection regulation. The framework shall help service providers to comply with the new regulation, and shall enable consumers to evaluate the security and privacy competencies of cloud service providers.