The European Data Protection Board (EDPB) adopted guidelines on codes of conduct, aiming at providing practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 GDPR.
The GDPR introduced ‘accountability’ as a key concept for data protection. Accountability places the focus on data controllers to be responsible for and be able to demonstrate compliance with the Regulation. Codes of conduct are deemed by GDPR as a valid mechanism to demonstrate compliance with the obligations of the controllers and processors. The guidelines intend to establish the basis and standards for the submission, approval and publication of codes of conduct and act as a framework for all competent supervisory authorities and relevant institutions. The document will be subject to a public consultation.
Codes of conduct are voluntary accountability tools which set out specific data protection rules for categories of controllers and processors from a specific sector, allowing them to achieve data protection compliance in a more cost-effective way. Codes provide controllers and processors with a degree of autonomy to agree the best practice rules for the industry, based on their expertise, and at the same time, they are an effective manner to earn the trust and confidence of data subjects, representing the commitment of data controllers and processors with regard to data processing activities. Adherence to an approved code of conduct might also be taken into consideration by supervisory authorities when evaluating specific features of data processing such as the security measures or the impact of data breaches.
The EDPB has established admission criteria for Codes of conduct that supervisory authorities should consider when evaluating a draft:
- Explanatory statement and supporting documentation, which shall provide details as to the purpose and scope of the code.
- Representative: code must be submitted by an association/consortium of associations or other bodies representing categories of controllers or processors.
- Processing Scope: both the processing activities and the categories of controller or processors the Code applies to must be detailed in the draft.
- Territorial scope: the document must specify its national or international scope, plus identify all relevant jurisdictions to which it intends to apply.
- Submission to a supervisory authority: the supervisory authority chosen to review a draft code must be competent in accordance with GDPR requirements.
- Oversight of mechanisms: the draft code must propose mechanisms in order to monitor compliance by stakeholders who freely adhere themselves.
- Consultation: a prior consultation involving the stakeholders must be carried out, and the draft code shall include the relevant information about it.
- National legislation: the draft code must be in compliance with applicable national legislation, in particular where the Code affects a sector which is governed by specific provisions.
- Language: in general terms, a Code should be submitted in the language of the supervisory authority of the Member State where the Code will apply, and for transnational Codes, the Code should be submitted also in English.
Additionally, code owners will need to be able to demonstrate how their code will meet the specific needs of the industry in terms of GDPR, plus benefit the society at the same time.
With regard to the rest of the approval process, one should remark that code owners can formally submit the draft code in either an electronic or written format to the supervisory authority. Where the draft code fails to meet the criteria for admissibility, the process comes to an end and a new submission is required. For international Codes, the supervisory authority whom the Code is submitted to will notify all other supervisory authorities and a maximum of two co-reviewers will provide their comments on the content of the Code within thirty days from their confirmation as co-reviewers. The relevant supervisory authority will make the final determination as to whether the draft decision should be submitted to the EDPB.
Finally, in order for a Code to be approved, a monitoring body (or bodies) must be identified as part of the Code and accredited by the relevant supervisory authority as being capable of effectively monitoring the Code. There are some requirements that monitoring bodies shall meet:
- Independence: the monitoring body shall be appropriately independent in relation to its impartiality of function from the code members and the profession, industry or sector to which the code applies, but even so monitoring bodies can be external or internal. For the latter, there should be separate staff and management, accountability and function from other areas of the organisation..
- Conflict of interest: similar to a DPO, the monitoring body cannot follow instructions from code owners and members, plus it shall avoid any incompatibility.
- Expertise: the monitoring body shall have an adequate level of expertise to carry out its role in an effective manner, in respect both of data protection law as well as of the particular sector.
- Established procedures and structures: the monitoring body will also need to have appropriate governance structures and procedures which allow it to adequately monitor the compliance with the Code.
- Transparency: the monitoring body will have to establish effective procedures and structures which can deal with complaints handling in an impartial and transparent manner, plus they should also have effective procedures and powers to ensure compliance with the code by controllers or processors.
You can access the original document here.