On December 2nd, the European Data Protection Board (EDPB) adopted its opinion on the UK data protection Supervisory Authority draft accreditation requirements for a code of conduct monitoring body.
Earlier this year, the United Kingdom Supervisory Authority (UK SA) submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the EDPB for assessment and opinion. This is inline with the GDPR provisions—Article 64—which renders the EDPB responsible for ensuring the consistent application of the GDPR when a supervisory authority intends to approve a code of conduct. Two weeks ago, the EDPB adopted its opinion on the UK SA draft accreditation requirements.
The opinion aims to ensure consistency and the correct application of requirements among EEA Supervisory Authorities.
Codes of Conduct and the GDPR
An ICO document explains that under the GDPR trade associations and representative bodies may draw up codes of conduct that cover topics that are important to their members. These topics, the ICO offers, can include fair and transparent processing, pseudonymisation or the exercise of people’s rights. The ICO adds that while codes of conduct are not mandatory under the GDPR, they are a good way of developing sector-specific guidelines to help with compliance with the GDPR.
EDPB Opinion Summary
Upon assessment, the EDPB concluded that the draft accreditation requirements of the UK SA may “lead to inconsistent application of the accreditation for monitoring bodies.” As such several recommendations and changes to the draft accreditation requirements were proposed by the EDPB. These recommendations include that the UK SA provides clarification on the requirements for accountability and offers more examples of the kind of evidence that the monitoring bodies can provide.
Next steps?
The EDPB Opinion document notes that according to Article 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow the opinion, in whole or in part. The supervisory authority shall communicate the final decision to the Board for inclusion in the register of decisions which have been subject to the consistency mechanism.
Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR and UK Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.
