The EDPB published Guidelines regarding the provisions under Articles 40 and 41 of the GDPR, with respect to Data Protection Codes of Conduct.

According to the EDPB, Codes of Conduct represent a practical, potentially cost-effective and meaningful method to achieve greater levels of consistency of protection for data protection rights, and can help to bridge the harmonization gaps that may exist between Member States in their application of data protection law. Codes may also prove to be a significant and useful mechanism in the area of international transfers, as new provisions in the GDPR allow third parties to adhere to approved codes in order to satisfy legal requirements for international transfers of personal data to third countries.

The Guidelines are intended to help clarify the procedures and the rules involved in the submission, approval and publication of codes at both a National and European level. They intend to set out the minimum criteria required by a Competent Supervisory Authority before carrying out an in-depth review and evaluation of a code.

GDPR codes are voluntary accountability tools, which set out specific data protection rules for categories of controllers and processors. They can be a useful and effective accountability tool, providing a detailed description of what is the most appropriate, legal and ethical set of behaviors of a sector. As an example, the Guidelines cite micro enterprises involved in similar health research activities, which could come together via their relevant associations and collectively develop a code in respect of their collection and processing of health data.

A code must be submitted by an association/consortium of associations or other bodies representing categories of controllers or processors (code owners) in accordance with Article 40(2) of GDPR. Code owners would include, for example, trade and representative associations, sectoral organizations and interest groups. They can have national or transnational reach, broader or narrower scopes, and must provide mechanisms that will allow for effective oversight.

Codes are one of a number of voluntary tools that can be used to assist organizations in demonstrating their compliance with the GDPR. Additional tool is Data Protection Impact Assessments (DPIAs), and a special update we recently published on regarding DPIAs is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.