Course sections

Code of conduct, Lecture 2

Who can elaborate code of conduct?

It is essential answer of the most vital question related to the preparation of codes of conduct. According to Art. 40, para. 2 of the GDPR, associations and other organisations representing categories of data controllers or personal data processors are in a position of drawing up a code of conduct. It is necessary for all bodies preparing codes to ensure information and moreover evidences of their representative power with regard to the controllers/ processors of the specific sector/ industry. Based on DPAs experience after 25 May 2018 many submitted for consultation codes of conduct were inadmissible due to lack of such representing power. The main concept is related to the common processing activities within certain economic sector/ industry. These activities should be described in details throughout internal documents of each data controller or processor. It can lead to procedural changes and temporary difficulties in everyday company life resulting in economic loss.
Like every other case related to the process of demonstrating compliance with new legal framework, it is a matter of additional unnumbered bunch of expenses (for instance staff training, consultant services, etc.). Associations/ organisations representing categories of controllers/ processors might save sector’s funds by preparing common documents and standardised data processing activities within the sector. Code of conduct makes entire economic sector data processing more understandable as well as predictable for data subjects. It is extremely important since this directly implements transparency principle and fulfils both data controllers’ and processors’ obligation for demonstration of processing in compliance with the GDPR (Art. 5).