Course sections

Code of conduct, Lecture 3

CoC mechanism

The main objectives of code of conduct in GDPR outline and gives guidelines to the appropriate and relevant parties how to follow and comply with the newly developed secondary legislation. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct to facilitate the effective and proper application of the Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium size enterprises.

CoC can cover areas related and including:

• fair and transparent processing
• legitimate interests pursued by controllers in specific contexts
• collection of data
• pseudonymisation (data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms)
• exercise of the rights of individuals
• measures to ensure security
• notification of data breaches
• protection of minors and modes of parental consent;
• transfer of personal data to third countries or international organizations

Codes of conduct shall be approved and monitored by the supervisory authority, according to Article 41 of the Regulation. Furthermore, they should include provisions to permit the mandatory monitoring of compliance by a designated body, without prejudice to the tasks and powers of the supervisory authority. In order to become an accredited body by the supervisory authority one should demonstrate:

• independence and expertise;
• established procedures to assess the ability of controllers and processors to apply the CoC, and to monitor compliance, as well as periodically review the code;
• ability to deal with complaints about infringements;
• avoidance of conflicts of interest.

Accreditations are revocable if the conditions for the accreditation are no longer met.

Adhering to a code of conduct is about brand values and a promise towards partners and customers as well. Among the better known ways to demonstrate compliance is the fact that relevant stakeholders are able to meet fundamental data subject rights or have taken the proper technical and organizational measures as GDPR Recital 78 mentions, referring to internal policies, and measures the responsible bodies have taken to meet those GDPR principles of data protection by design and by default.
Once a code of conduct is in draft it still needs to be approved by the supervisory authority which is competent in line with Article 55, and looks, among others, if it has sufficient appropriate safeguards and can approve the draft code (or amendment or extension regarding one). If the code of conduct spans across several member states, as for example of a cloud infrastructure service providers, the EDPB also needs to comment, and after that the Commission needs to check it.
Some of the primarily benefits of adhering to codes of conduct includes: creating greater trust (raising the trust level by demonstrating sufficient guarantees and safeguards) in the business one provides/offers; helping to demonstrate GDPR compliance; making cross-border situations easier, stakeholders will be monitored to see if they really adhere to, so it requires commitment; the code also serves as raising technical awareness in relation to the Regulation. If controllers use approved codes of conducts and/or expect their processors to adhere to codes of conduct within their market or processing activity those processors who don’t adhere to the required codes of conduct might simply be less considered as potential business partners. However, while adhering to codes of conduct makes you a more trusted party helps you demonstrate GDPR compliance and makes cross-border situations easier, you will be monitored to see if you really adhere so it’s not a decision to take lightly. These codes may demonstrate that a controller or processor has identified any risk related to data processing; assessed the origin, nature, likelihood, and severity of the risk; and determined how best to mitigate the risk. The GDPR’s key breakthrough with regard to codes of conduct is the notion that they can be made binding and enforceable—rather than merely voluntary and self-regulatory. Pursuant to Article 83(4)(c), moreover, an accredited monitoring body faces fines up to 10,000,000 EUR for failing to “take appropriate action” when a controller or processor infringes a code of conduct. On the other hand, the regulator is essentially involved in safeguarding adequate data protection and credibility.

Codes of conducts must not to be confused with binding corporate rules, as the latter affect only entire companies and solely address adequacy. By signing up to a Code of conduct, though, companies may choose to certify individual services rather than all business operations. Notably, codes can incorporate any provision of the GDPR open for interpretation and balancing of interests. The codes of conduct create successful opportunities how to combine different  internal points of view (Privacy Officer, Compliance Manager, CIO, CSO, CISO etc.) with external ones (DPA and customers).

In summary, codes of conduct and monitoring pursuant to Articles 40 and 41 GDPR will help provide efficient means to demonstrate compliance under GDPR and offer a suitable regulatory tool to foster innovation in the digital economy while safeguarding robust data protection standards and customer trust in the protection of personal rights. As a matter of fact, codes even give organizations the unique opportunity to concretize Europe’s new data privacy rules and foster a Europe-wide practical and innovation-friendly interpretation of GDPR. They will serve as compliance-signalling tools for controllers and processors. Codes of conduct give an opportunity and security to all types of business, especially micro, small and medium-sized enterprises to a fair-competition and equality, based on the established communality of adhering and complying to the procedures on the market place.