On 12 February 2019, the European Data Protection Board ("EDPB") published for public consultation Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 ("GDPR"). The Guidelines seek to provide practical guidance and interpretative assistance in relation to the application of Articles 40 (codes of conduct) and 41 (monitoring of codes) of the GDPR.
The creation of a code is open to all trade associations or bodies representing a sector and can provide more specific information on how to comply with the GDPR. Codes can be national or transnational, the latter meaning that the code covers processing activities in more than one Member State.
From a compliance perspective, codes can be a useful and effective accountability tool, providing a detailed description of the most appropriate, legal and ethical set of behaviours of a sector. In this regard, codes can be drawn up to reflect the specific characteristics of processing carried out in specific sectors.
From an enforcement perspective, codes also benefit supervisory authorities by allowing them to gain a better understanding of and insight into the data processing activities of a specific profession, industry or other sector.
The Guidelines thus act as a framework for all Competent Supervisory Authorities ("CompSAs"), the EDPB and the Commission in the assessment of the procedures and the rules involved in the admissibility, submission, acceptance, approval and publication of codes at both the national and European levels.
Minimum Requirements for Codes of Conduct
While processors and controllers in all sectors are free to establish codes of conduct, there are minimum requirements set out which a CompSA must evaluate. A code can only be submitted by an association/consortium of associations or other bodies representing categories of controllers or processors (code owners) in accordance with Article 40(2) GDPR.
Furthermore, every draft code submitted for approval must contain a clear and concise explanatory statement which provides details as to the purpose of the code, the scope of the code both in terms of processing operations and territorial scope and how it will facilitate the effective application of the GDPR. In line with Recital 99 of the GDPR, a draft code must also contain information gathered through the consultation of the relevant stakeholders, including data subjects, where feasible.
Most importantly, a code should not just re-state the GDPR. Instead, it should aim to codify how the GDPR will apply in a specific, practical and precise manner. It should have added value, for example by employing terminology that is unique and relevant to the industry and providing concrete case scenarios or specific examples of 'best practice'.
The Guidelines provide the criteria for approving codes. Code authors have to demonstrate that their draft code: (i) meets a particular need of that sector or processing activity; (ii) facilitates the application of the GDPR; (iii) specifies the application of the GDPR; (iv) provides sufficient safeguards; and (v) creates effective mechanisms for monitoring compliance with a code. The Guidelines also foresee more information on the submission, acceptance and approval of a code.
Monitoring Compliance with Code of Conduct
The Guidelines also set out the requirements for the monitoring of compliance with a code of conduct. The Guidelines discuss two main models of monitoring: external and internal monitoring bodies, which give code owners the flexibility to choose an approach that is appropriate in the context of the code. Examples of internal monitoring bodies could include an ad hoc internal committee or a distinct, independent department within the code owner.
According to the Guidelines, such bodies must be independent and impartial and must possess the requisite level of expertise. Independence could imply that an external counsel or other party be involved to demonstrate that there are appropriate safeguards to mitigate a risk of a conflict of interest. In the case of internal bodies, independence could be demonstrated by showing full autonomy for the management of the budget and other resources.
A monitoring body will have to establish effective procedures to deal with complaints that are handled in an impartial and transparent manner. It needs to have a publicly accessible complaints handling process which is sufficiently resourced to manage complaints and to ensure that decisions of the body are made publicly available. A monitoring body should also have effective procedures to ensure compliance with the code by controllers or processors. An example would be to give the monitoring body powers to suspend or exclude a controller or processor from the code when it acts outside the terms of the code (i.e., corrective measures).
A copy of the Guidelines which are open for public consultation can be found here. Comments on the Guidelines should reach the EDPB by 2 April 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.