Article 41 GDPR

From GDPRhub
Revision as of 10:24, 8 March 2022 by Gb (talk | contribs) (style consistency)
Article 41 - Monitoring of approved codes of conduct
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 41 - Monitoring of approved codes of conduct

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

(a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3. The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions ofCHAPTER VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5. The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

6. This Article shall not apply to processing carried out by public authorities and bodies.

Relevant Recitals

You can help us fill this section!

Commentary

Overview

Article 41 GDPR complements Article 40 GDPR by providing that compliance with any approved code of conduct must be monitored by an accredited body with the appropriate level of expertise in the sector concerned by the code.

Although the Data Protection Directive 95/46/EC included a provision on codes of conduct (Article 27(1) Directive 95/46/EC), this did not include any information on how compliance with such codes may be monitored. Accordingly, it was for national law to determine whether and which specific body may undertake the task of monitoring compliance with a code of conduct.[1]

According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), the aim of Article 40, 41 GDPR[2] is to ensure a “practical, potentially cost effective and meaningful method to achieve greater levels of consistency” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[3]

The Monitoring Body

The monitoring body provided for in Article 41 GDPR is tasked with ensuring that compliance with the code of conduct elaborated as per Article 40 GDPR. However, this body must be accredited by the competent supervisory authority in charge of the code.

A Body with an Appropriate Level of Expertise

As mentioned in Article 40(4) GDPR on the elaboration of codes of conduct, a monitoring body must be designated in the relevant code. Article 41(1) GDPR specifies that such a body will ensure compliance of code members with said code.

The EDPB highlights that the GDPR does not prescribe the type of body targeted by Article 41 GDPR. Instead, the Guidelines suggest that it is for code owners to define the structure of the body: including whether it is an internal or external body. An internal body could be in the form of an “ad hoc internal committee” or another department constituted independently from the code owners, for example.[4]

According to the wording of Article 41(1) GDPR, the monitoring body must have an “appropriate level of expertise” in the sector targeted by the code. This requirement is, however, undefined in the Regulation.[5]Expertise” is only referred to again under Article 41(2)(a) GDPR, although briefly.

Additionally, Article 41(1) GDPR specifies that a monitoring body must be “accredited” by the competent supervisory authority for the purpose of ensuring compliance with the code of conduct. The criteria for this accreditation is provided in the section below.

It is also important to point out that such level of expertise and accreditation should be “[w]ithout prejudice to the tasks and powers of the competent supervisory authority” as outlined in the first line of Article 41(1) GDPR. This entails that the crucial role played by competent supervisory authorities play to enforce the GDPR cannot be undermined or sidecasted by an accredited monitoring body ensuring compliance with a code of conduct for a specific sector or processing activity.

Criteria for Accreditation from the Competent Supervisory Authority

The GDPR requires that the competent supervisory accredit a monitoring body before it can perform its task according to the code of conduct. This is clear from the wording of Article 41(1) GDPR.

Article 41(1) GDPR does not define accreditation. Nonetheless, Article 41(2) GDPR provides a criterion against which a supervisory authority will assess the suitability of the monitoring body to ensure compliance with the relevant code of conduct. It is uncertain whether a monitoring body which complies with the criteria in Article 41(2) GDPR may nonetheless see its accreditation refused: there is little precision as to whether this criterion is exhaustive or not in the GDPR and the EDPB Guidelines. However, due to the wording of the Article, “may be accredited”, it is possible to argue that certain competent supervisory authorities can decide to be more strict and require additional criterion to be fulfilled.

In any case, the following criteria must be fulfilled as a baseline. It is the task of the code owners to demonstrate that their chosen monitoring body fulfils the following criteria.[6]

Demonstrated Expertise

It is clear from Article 41(1) GDPR that the body must have an “appropriate level of expertise” in the subject-matter of the code of conduct it aims to ensure effective compliance with.

This is also a requirement of the accreditation process as specified in Article 41(2)(a) GDPR: “may be accredited [...] where that body has: (a) demonstrated its independence and expertise”.

The threshold for this level of expertise is: “to the satisfaction of the competent supervisory authority”. Therefore, it is possible for there to be divergences between Member States. However, the EDPB provides some guidance as to what this entails. For example, it clarifies that the monitoring body should show that it has knowledge of, and past experience in, the sector targeted by the code of conduct. Similarly, the monitoring body should demonstrate an indepth understanding of data protection law as applicable to the type of processing at stake in the code of conduct. Experience monitoring compliance is also recommended.[7]

Demonstrated Independence

Article 41(1)(a) GDPR also requires that the monitoring body be independent. According to the EDPB Guidelines, this requirement for accreditation refers to the monitoring body’s “impartiality of function from the code members and the profession, industry or sector” at stake. Additionally, the monitoring body should be independent from the code owners.[8]

The Guidelines also provides some suggestions of areas that can be used to demonstrate independence. These are only examples and are non-exhaustive:

-      independent funding;

-      independence in the appointment of the monitoring body’s staff and management structure, such as though “informational barriers” or “separate reporting management structures”;

-      independence in its processes for making decisions, with the willingness to impose sanctions for non-compliance with the code; and/or

-      independence in the organisational structure of the monitoring body.

The requirement of independence evidently applies regardless of whether a internal or external monitoring body is chosen by the code owners.[9]

Again, the threshold for this level of independence is “to the satisfaction of the competent supervisory authority”. Therefore, it is possible for there to be divergences between Member States. However, the EDPB provides some guidance in that respect: for example, the monitoring body should be able to demonstrate that it is and will act without instructions or fear of reprimand from third parties. Similarly, it must be able to show that it has implemented safeguards so as to mitigate any risk with regards to its impartiality.[10]

Established Procedures For Assessing Controllers and Processors

The monitoring body must also have procedures in place that enable them to (i) assess whether the controllers and processors are eligible to apply the code of conduct,[11] as well as (ii) ensure their compliance with it and (iii) review the operation of the code. These three requirements must be satisfied before a monitoring body can be accredited according to Article 41(1)(b) GDPR. Although the Article only refers to “procedures” and not “structures”, the EDPB has interpreted the paragraph as including both.

The EDPB also interprets this provision to mean that “comprehensive vetting procedures” are required to assess whether the controllers and processors concerned can be considered as formally adhering to the code of conduct. The Guidelines provide suggestions of what these vetting procedures may look like:

-      randomised audits (these carry even more weight if published);

-      inspections on a regular basis (e.g. annually);

-      use of reports; and/or

-      use of questionnaires.

However, this is not a comprehensive list as bodies seeking accreditation may adopt any procedure or structure that addresses the three requirements above.[12]

The EDPB notes that the established procedures must be supported by sufficient monetary and human resources to be implemented effectively in reality.[13]

Mechanisms for Periodical Reviews

As mentioned in the section above, Article 41(2)(b) GDPR requires that the monitoring body review the code of conduct. For this to be effectively achieved, the monitoring body must establish a procedure for reviewing the code of conduct, including its relevancy[14] and its contribution to “the proper application of the GDPR”.[15]

Established Procedures and Structures for Complaints Handling

Additionally, Article 41(1)(c) GDPR stipulates that the monitoring body must have clear procedures and structures to address complaints about infringements or poor implementation of the code by a controller or processor.

To achieve this, sufficient resources are crucial. Additionally, powers are necessary, as well as the willingness to impose corrective measures such as the suspension of a membership to the code of conduct.[16]

The handling of the complaint, through procedures and structures, must also be transparent to the data subject and the general public, according to Article 41(1)(c) GDPR. This entails “publicly accessible” processes for complaints. It may also imply, where relevant, communication to concerned parties and supervisory authorities.[17]

No Conflict of Interests

Article 41(2)(d) GDPR makes it clear that the code owners must demonstrate that the designated monitoring body can perform its tasks and duties without any conflict of interests.

The EDPB specifies that the code owners must do so by providing evidence that there are effective safeguards to ensure that the monitoring body “will not engage with an incompatible occupation”. As with the independence requirement mentioned above, this entails that there should be no direct or indirect external influence guiding the body’s actions.[18]

Submitting the draft criteria for accreditation to the EDPB.

According to Article 41(3) GDPR, the competent supervisory authority in charge of assessing whether the monitoring body satisfies the accreditation criteria must themselves submit the “draft criteria for accreditation” to the EDPB in line with the consistency mechanism (Article 63 GDPR).

Role of the Monitoring Body

The role that a monitoring body plays can be understood from Article 41(4) GDPR. This role is interpreted “[w]ithout prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII”.

Taking action to address infringements of the code.

The monitoring body is primarily tasked with ensuring compliance with the code of conduct. Article 41(4) GDPR outlines that it “shall” take action. The Article itself suggests possible sanctions to apply against an infringing code member: “suspension or exclusion of the controller or processor concerned from the code”.

Communication with the supervisory authority.

Under Article 41(4) GDPR, a monitoring body has an obligation to communicate with the supervisory authorities of any action it takes in the event of an infringement. It must also provide the reasoning behind this action.

The EDPB Guidelines suggest that the requirement for monitoring bodies should be considered a criterion for accreditation.[19] However, given that this obligation does not fall within the list of requirements to guarantee accreditation found in Article 41(2) GDPR, it is argued that it appears more as an ex post obligation of a monitoring body than a criterion for the ex ante accreditation process. Hence, this aspect of Article 41 GDPR is part of the analysis on the role of the body.

Revoking Accreditation

Article 41(5) GDÜR stipulates that the competent supervisory authority which approved the monitoring body may also revoke this accreditation. This occurs when the conditions for accreditation are not fulfilled anymore. Additionally, revocation of the accreditation also remedies any infringement of the GDPR by the monitoring body. According to the EDPB, the code owners must have provided for such a revocation. Additionally, due to the severe consequences (e.g. the suspension of the code of conduct for absence of a monitoring body), the competent supervisory authority must give the monitoring body the opportunity to remedy the concern identified.[20]

It is uncertain whether the competent supervisory authority must cooperate with the Board when considering revoking the accreditation, as it does in the context the draft criteria for accreditation (Article 41(3) GDPR).

Non-Application to Public Authorities and Bodies.

As Article 41(6) GDPR clearly lays out, the Article “shall not apply to processing carried out by public authorities and bodies”.

Decisions

→ You can find all related decisions in Category:Article 41 GDPR

References

  1. Kamara, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 9 GDPR, p. 727 (Oxford University Press 2020).
  2. Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.
  3. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, (available here).
  4. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 22 (available here).
  5. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 21 (available here).
  6. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 21 (available here).
  7. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 23 (available here).
  8. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 21 (available here).
  9. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 22 (available here).
  10. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 22 (available here).
  11. i.e. that they operate within the sector target by the code, or their conduct targeted processing activities.
  12. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 23 (available here).
  13. Resources necessary are proportionate to the number of code members and the risk associated with this particular sector; see EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 23 (available here).
  14. In light of any sector-specific, industry and/or technological developments.
  15. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 25 (available here).
  16. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 24 (available here).
  17. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 24 (available here).
  18. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 23 (available here).
  19. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 24-25 (available here).
  20. EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, 12 February 2019, p. 26 (available here).