Article 40 GDPR: Difference between revisions
No edit summary |
No edit summary |
||
Line 240: | Line 240: | ||
Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance with the Regulation. | Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance with the Regulation. | ||
Article 40 GDPR elaborates upon an already existing provision under the Data Protection [ | Article 40 GDPR elaborates upon an already existing provision under the Data Protection [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046 Directive 95/46/EC] (Article 27(1) Directive). Accordingly, certain codes of conduct have already been elaborated under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046 Article 27 Directive 95/46/EC]. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (hereafter, “WP29”).<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 290 (Bruylant 2017).</ref>According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), Article 40 GDPR provides more “''specific and detailed provisions''” concerning the requirements and procedural aspects for drafting codes than the Directive.<ref>EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 8 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb-20190219_guidelines_coc_public_consultation_version_en.pdf here]).</ref> | ||
The aim of Articles 40, 41 GDPR<ref>Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.</ref> is to ensure a “''practical, potentially cost effective and meaningful method to achieve greater levels of consistency''” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).<ref>EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 5 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb-20190219_guidelines_coc_public_consultation_version_en.pdf here]).</ref> | The aim of Articles 40, 41 GDPR<ref>Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.</ref> is to ensure a “''practical, potentially cost effective and meaningful method to achieve greater levels of consistency''” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).<ref>EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 5 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb-20190219_guidelines_coc_public_consultation_version_en.pdf here]).</ref> | ||
Line 414: | Line 414: | ||
According to Article 40(10) GDPR, the Commission has responsibility over “''appropriate publicity''” that should be given to a transnational code of conduct which has been granted “''general validity''”. | According to Article 40(10) GDPR, the Commission has responsibility over “''appropriate publicity''” that should be given to a transnational code of conduct which has been granted “''general validity''”. | ||
It is uncertain whether the relevant supervisory authorities will have to | It is uncertain whether the relevant supervisory authorities will have to make public the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as according to Article 40(6) GDPR. | ||
==== Register of Codes of Conduct ==== | ==== Register of Codes of Conduct ==== |
Revision as of 09:49, 10 September 2021
Legal Text
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
- (a) fair and transparent processing;
- (b) the legitimate interests pursued by controllers in specific contexts;
- (c) the collection of personal data;
- (d) the pseudonymisation of personal data;
- (e) the information provided to the public and to data subjects;
- (f) the exercise of the rights of data subjects;
- (g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
- (h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
- (i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
- (j) the transfer of personal data to third countries or international organisations; or
- (k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
Relevant Recitals
Commentary
Overview
Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance with the Regulation.
Article 40 GDPR elaborates upon an already existing provision under the Data Protection Directive 95/46/EC (Article 27(1) Directive). Accordingly, certain codes of conduct have already been elaborated under Article 27 Directive 95/46/EC. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (hereafter, “WP29”).[1]According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), Article 40 GDPR provides more “specific and detailed provisions” concerning the requirements and procedural aspects for drafting codes than the Directive.[2]
The aim of Articles 40, 41 GDPR[3] is to ensure a “practical, potentially cost effective and meaningful method to achieve greater levels of consistency” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[4]
Drawing up Codes of Conduct
It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up and who is targeted by these voluntary documents.
Rationale for Codes of Conduct
According to Article 40 GDPR, the purpose of a code of conducts is to “[contribute] to the proper application”,[5] as well as “[specify] the application”[6] of the Regulation. Additionally, they may be developed to “calibrate the obligations of controllers and processors” according to Recital 98 GDPR. As such, codes are intended to be an additional accountability tool which acts as a “rulebook for controllers and processors” that fall within the scope of the GDPR (and in certain cases, see below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligation under the GDPR.[7]
Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection supervisory authorities from controllers and processors seeking advice about the legality of their processing activities under the Regulation.[8] This is, in theory, a strong argument in favour of developing codes of conduct and the corresponding monitoring bodies (as discussed in the commentary on Article 41). However, not many associations or other bodies have made use of this possibility under the GDPR.[9] As such, data controllers and processors remain reliant on supervisory authorities for guidance on compliance with the GDPR. Unfortunately, guidance from these authorities will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.
Content of the Codes of Conduct
Article 40(1) GDPR clarifies that codes of conduct must be tailored to “specific features” of a sector, as well as the “specific needs of micro, small and medium-sized enterprises”. Recital 98 GDPR and 99 GDPR provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “risk likely to result from the [relevant] processing for the rights and freedoms of natural persons”. According to the latter recital, the drafter “should consult relevant stakeholders, including data subjects” in order to develop these codes. They should also duly consider the “submissions received and views expressed in response to such consultations”.
Article 40(2) GDPR provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive[10] and are not necessarily cumulative.[11] The Article provides the following examples of topics for the codes:
- fairness and transparency in processing;
- controllers’ legitimate interests in particular contexts;
- collection of personal data;
- pseudonymisation;
- information to be provided to the public and to data subjects;
- data subjects’ rights and their exercise;
- processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent);
- technical and organisational measures and the obligations to guarantee privacy by design and by default;
- notification and communication of data breaches to the competent supervisory authority and to affected data subjects;
- data transfers to third countries or international organisations; or
- dispute resolution procedures.
Finally, Article 40(4) GDPR outlines that a code of conduct must necessarily[12] contain information on how a monitoring body (provided for in Article 41 GDPR) can ensure compliance with the code of conduct. It is important to note that such monitoring should not (or will not) “prejudice to the tasks and powers of supervisory authorities”.
Shall encourage
Codes of conduct themselves not obligatory. Article 40(1) GDPR provides that Member States, supervisory authorities, the EDPB and the Commission shall “encourage” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) GDPR provides that relevant actors “may” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading.[13] However, through a detailed reading of Article 40(1) GDPR, there is a clear obligation imposed on Member States, Supervisory Authorities, the EDBP and the European Commission to encourage their draw up. Indeed the wording of Article 40(1) is that they “shall encourage” (emphasis added).[14]
Associations and other Bodies
According to Article 40(2) GDPR, codes of conduct are to be drafted by trade associations and other bodies “representing categories of controllers or processors”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “code owners”.[15]
There is some ambiguity in the wording of this GDPR provision. Article 40(1) GDPR outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) GDPR makes direct reference to “associations and other bodies”. Therefore, it could be suggested that controller or processor can take up the task of drafting a code. However, Recital 98 GDPR makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1) GDPR). Similarly, Article 40(5) GDPR only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.[16]
Target Audience for Codes of Conduct
Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories of controllers and processors are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear as Article 40(1) GDPR specifies that the codes should take into account “the specific features of the various processing sectors”.
However, Article 40(3) GDPR provides that certain codes of conduct can be followed by controllers and processors of personal data that are not subject to the Regulation. Such codes must be approved by the competent data protection supervisory authority as per Article 40(5) GDPR and have gained general validity from the European Commission pursuant Article 40(9) GDPR.[17] The third country controllers and processors must also make “binding and enforceable commitments” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[18] The hope is similarly that international codes will lead to the “promotion and cultivation of the level of protection which the GDPR provides to the wider international community”.[19] However, the reality of this is quite different: no such codes of conduct have been adopted yet.[20]
Approval of Codes of Conduct
Article 40(5) GDPR outlines that associations and other bodies which “intend to prepare a code of conduct or to amend or extend an existing [one]” must submit their draft to the competent supervisory authority. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent authority should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.[21] The supervisory authority will then approve the code, amendment or extension where it “provides sufficient appropriate safeguards”.
Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.
Competent Authority
Although Article 40(5) GDPR mentions that the competent supervisory authority will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explains how code owners may identify the competent authority in its Annex 2. This document provides factors that can be considered such as:
- the Member State where there is most of the processing activity or sector;
- the Member State where data subjects are most affected;
- the Member State where the drafting association or other body has its headquarters;
- the Member State where the monitoring body will have its headquarters; or
- the Member State where a supervisory authority has developed initiatives in the specific field of the code of conduct.[22]
Conditions for Admissibility of a Draft Code
The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent supervisory authority for approval.[23] The content of draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.[24]
Explanatory Statement and Supporting Documentation
The first step for admissibility of a draft code of conduct is to have a “clear and concise explanatory statement”. This will include an explanation of:
- the purpose of the code;
- the scope of the code; and
- the way in which it will foster compliance with the GDPR.
Supporting documentation will also provide additional clarity.[25]
Representing Association or other Bodies
The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2) GDPR).
The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “associations and other bodies” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.[26]
Processing Scope
The scope of application of the code must be sufficiently precise. This includes information on the type of processing performed and the controllers and processors targeted by the code of conduct.[27]
Territorial Scope
The drafters must clarify whether the code applies to processing within one Member State or several Member States. This will then facilitate the determination of whether further steps must be taken (i.e. general validity from the Commission, as elaborated upon in 4.3.).[28]
Competent Authority
The code drafter must show the authority that they are competent. The competency of an authority it outlined above.
Oversight of Mechanisms and Monitoring Body
The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms[29] that this body will apply to ensure compliance with the code of conduct.[30]
Consultation
The code drafters must consult relevant stakeholders such as data subjects and controllers and processors before the draft is considered admissible.[31] This aspect is detailed above.
National legislation
If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code affects national laws or the processing at stake is subject to a national law.[32]
Language
The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent authority’s language.[33]
Checklist
The code owner must ensure that they fulfill all the above conditions before submitting the code of conduct for approval.[34] Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent supervisory authority.[35]
Criteria for getting Approval
The EDPB Guidelines also provide a series of criteria that must be fullfiled by code owners in order to gain formal approval for their code, amendment or extension from the competent authority.[36] The following sections reflect the minimum cumulative requirements for approval.
Firstly, the code must address a specific need or a data protection issue that is common in a sector or in relation to a processing activity by a category of controllers or processors. The code owners must also demonstrate that it understands the problem and clearly show how the code proposes to resolve them in an “effective and beneficial” way for their members and data subjects. Without this, the code cannot get approval from the competent authority.[37]
A key criterion for getting a code of conduct approved is described in Recital 98 GDPR: the code owner must ensure that the code “facilitate[s] the effective application of this Regulation” in the sector or processing activity it seeks to address.
According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively):
- clear improvements to ensure the targeted sector complies with the Regulation;
- realistic and attainable standards for the controllers and processors targeted;
- detailed information on data protection areas, such as those outlined in Article 40(2 ) GDPR;
- sufficiently clear and effective solutions to concerns over processing in this sector;
- an “operational meaning” of the Article 5 GDPR principles; and
- clarifications on any EDPD opinions or guidance for the specific sector.
The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the Regulation by providing information on how it “shall apply in a specific, practical and precise manner” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “legalistic” and by giving examples of good practice.[38]
As outlined in Article 40(5) GDPR, the code of conduct must provide sufficient appropriate safeguards, “taking into account the risk likely to result from the processing for the rights and freedoms of natural persons” (Recital 98 GDPR).
An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures[39] for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “clear, suitable, attainable, efficient and enforceable (testable)” according to the Guidelines.[40]
Approval from the Competent Supervisory Authority
Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent supervisory can approve the draft code, amendment or extension pursuant to Article 40(5) GDPR. The EDPB Guidelines suggest that the authority should do so within a “reasonable period of time”[41] and update the code owners throughout the approval process.
The authority should justify its approval in line with the prerequisite criteria for admissibility and approval. Should the supervisory authority refuse to approve the code of conduct, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they want.[42]
General Validity of Codes of Conduct for Cross-Border Processing Activities
Codes relating to processing activities in several Member States are transnational codes which must be granted “general validity” (Articles 40(7) GDPR to 40(10) GDPR).
Role of the Supervisory Authorities
The competent authority[43] with which the code owner has submitted the draft code must determine whether this code fulfils the admissibility criteria mentioned above before proceeding.[44]
After this initial step, the authority will then notify other supervisory authorities about the transnational code of conduct pursuant to Article 40(7) GDPR. These authorities will then confirm whether they are “concerned supervisory authorities” (see Article 4(22)(a)(b) GDPR). Finally, the competent authority will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the principal authority intends to approve[45] to the other concerned supervisory authorities with a 30 day deadline to give feedback.
As per Article 40(7) GDPR, the principal authority must then submit the draft code, amendment or extension, along with any responses from concerned supervisory authorities, to the EDPB.
Opinion by the European Data Protection Board
The EDPB will then generate an opinion as to whether the code of conduct complies with the Regulation, as per Article 40(7) GDPR. According to the terminology of Articles 40(7) GDPR and 40(8) GDPR, the EDPB’s opinion should identify whether the draft code provides “appropriate safeguards”. This opinion shall follow the Rules of Procedure of the Board, as well as Article 64 GDPR.[46]
After confirming that the code of conduct provides “appropriate safeguards”, there is an obligation[47] imposed on the EDPB to “submit its opinion to the Commission” (Article 40(8) GDPR).
“General Validity” Granted by the European Commission
After receiving the opinion of the EDPB, the European Commission will be the one to determine, “by way of implementing acts”, whether to grant the code of conduct “general validity within the Union” as per Article 40(9) GDPR. The Article specifies that the “implementing acts” referred to must be adopted in line with the examination procedure under Article 93(2) GDPR.
Publication of Approved Codes and Codes with General Validity
Article 40 GDPR provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes).
Publication by the Supervisory Authority
The competent supervisory authority that has approved the national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval.
Publication of a Code with General Validity
According to Article 40(10) GDPR, the Commission has responsibility over “appropriate publicity” that should be given to a transnational code of conduct which has been granted “general validity”.
It is uncertain whether the relevant supervisory authorities will have to make public the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as according to Article 40(6) GDPR.
Register of Codes of Conduct
Article 40(11) GDPR stipulates that the European Data Protection Board shall keep a register on “all approved codes of conduct, amendments and extensions” which is freely accessible and available to all “by way of appropriate means”.
The wording Article 40(11) GDPR only specifically refers to “approved codes” without mentioning those with “general validity”. This could lead to some ambiguity as to the scope of Article 40(11) GDPR.[48] Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5)(6) GDPR, as well as codes granted “general validity” by the European Commission as per Articles 40(7), (8), (9) and (10). The reason behind the assumption that Article 4(11) covers both types of codes of conduct is that it would not be logical for the EDPB to have to register codes of conduct approved by competent supervisory authorities throughout the European Union, but not those subject to their opinion before submitting them to the European Commission for “general validity”. Additionally, the wording or Article 40(11) GDPR refers to “all approved codes of conducts”, which most likely includes the “[Commission] approved codes” referred to in Article 40(10) GDPR. The EDPB supports this.[49]
The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands and one by Autocontrol (Asociación para la Autorregulación de la Comunicación Comercial) in Spain.[50] However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such codes of conduct approved by the Austrian or Italian DPAs.[51]
Decisions
→ You can find all related decisions in Category:Article 40 GDPR
References
- ↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 290 (Bruylant 2017).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 8 (available here).
- ↑ Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 5 (available here).
- ↑ Article 40(1) GDPR.
- ↑ Article 40(2) GDPR.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 7 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 9 (available here).
- ↑ There were only two codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (22/12/2020, see here).
- ↑ Article 40(2) uses the phrases “such as with regard to” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article; see EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 7 (available here).
- ↑ Article 40(2) GDPR uses the word “or” between subparagraph (j) and (k).
- ↑ Consider wording: “shall”.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 7 (available here).
- ↑ The EDPB agrees with this reading; see EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 6 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 7 (available here).
- ↑ The EDPB even provides a non-exhaustive list of possible “code owners” including “trade and representative associations, sectoral organisations, academic organisations and interest groups”; see EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 11 (available here).
- ↑ The details of Articles 40(5) GDPR and 40(9) GDPR are discussed below.
- ↑ See Article 46(2)(e) GDPR.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 10 (available here).
- ↑ On the date this commentary was written (22 December 2020, see here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 17 (available here).
- ↑ As per Article 55 GDPR.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 28 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 17 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 11 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 11-12 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 12 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 12 (available here).
- ↑ See Article 41 for further information on monitoring bodies and the mechanisms.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 12 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 13 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 13 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 13 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 14 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 29 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 28 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 14 (available here).
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 15-16 (available here).
- ↑ For example, regular audits, reporting requirements, complaint handling and dispute resolution mechanisms as well as potential sanctions for failing to comply with the code of conduct.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 16-17 (available here).
- ↑ Unless a specific time for approving a code of conduct is provided for in national law.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 18 (available here).
- ↑ Details concerning the competency of the data protection authority outlined apply to transnational codes.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 18 (available here).
- ↑ Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 20 (available here).
- ↑ Wording: "shall".
- ↑ See Article 40(3) GDPR which refers to both types of codes distinctly: “codes of conduct approved pursuant to paragraph 5 of this Article and [codes of conduct] having general validity pursuant to paragraph 9 of this Article”.
- ↑ EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 4 June 2019, p. 20 (available here).
- ↑ On the date this commentary was written (22 December 2020, see here)
- ↑ See, for example the Spanish DPA (here); Dutch DPA (here); Italian DPA (see here) and the Austrian DPA (here, here and here).