Editing Article 40 GDPR

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 2: Line 2:
 
![[Article 39 GDPR|←]] Article 40 - Codes of conduct [[Article 41 GDPR|→]]
 
![[Article 39 GDPR|←]] Article 40 - Codes of conduct [[Article 41 GDPR|→]]
 
|-
 
|-
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]
+
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]
 
|-
 
|-
 
|
 
|
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 17: Line 17:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 31: Line 31:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 50: Line 50:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 77: Line 77:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 91: Line 91:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 107: Line 107:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 131: Line 131:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 146: Line 146:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 160: Line 160:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 169: Line 169:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
+
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 184: Line 184:
 
|}
 
|}
  
==Legal Text==
+
== Legal Text ==
 
<br /><center>'''Article 40 - Codes of conduct'''</center><br />
 
<br /><center>'''Article 40 - Codes of conduct'''</center><br />
  
Line 244: Line 244:
 
</div></div>
 
</div></div>
  
==Commentary==
+
== Commentary ==
  
=== Overview ===
+
''You can help us fill this section!''
Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance with the Regulation.
 
  
Article 40 GDPR elaborates upon an already existing provision under the Data Protection Directive 95/46/EC (Article 27(1) Directive). Accordingly, certain codes of conduct have already been elaborated under Article 27 Directive. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (hereafter, “WP29”).[[Article 40 GDPR#%20ftn1|[1]]]According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), Article 40 of the GDPR provides more “''specific and detailed provisions''” concerning the requirements and procedural aspects for drafting codes than the Directive.[[Article 40 GDPR#%20ftn2|[2]]]
+
== Decisions ==
 
 
The aim of Article 40 and 41 GDPR[[Article 40 GDPR#%20ftn3|[3]]] is to ensure a “''practical, potentially cost effective and meaningful method to achieve greater levels of consistency''” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[[Article 40 GDPR#%20ftn4|[4]]]
 
 
 
=== Drawing up codes of conduct. ===
 
It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up and who is targeted by these voluntary documents.
 
 
 
==== Rationale for codes of conduct. ====
 
According to Article 40, the purpose of a code of conducts is to “''[contribute] to the proper application''”[[Article 40 GDPR#%20ftn5|[5]]], as well as “''[specify] the application''”[[Article 40 GDPR#%20ftn6|[6]]] of the Regulation. Additionally, they may be developed to “''calibrate the obligations of controllers and processors''” according to Recital 98. As such, codes are intended to be an additional accountability tool which acts as a “''rulebook for controllers and processors''” that fall within the scope of the GDPR (and in certain cases, see  below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligation under the GDPR.[[Article 40 GDPR#%20ftn7|[7]]]
 
 
 
Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection supervisory authorities from controllers and processors seeking advice  about the legality of their processing activities under the Regulation.[[Article 40 GDPR#%20ftn8|[8]]] This is, in theory, a strong argument in favour of developing codes of conduct and the corresponding monitoring bodies (as discussed in the commentary on Article 41). However, not many associations or other bodies have made use of this possibility under the GDPR.[[Article 40 GDPR#%20ftn9|[9]]] As such, data controllers and processors remain reliant on supervisory authorities for guidance on compliance with the GDPR. Unfortunately, guidance from these authorities will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.
 
 
 
==== Content of the codes of conduct. ====
 
Article 40(1) clarifies that codes of conduct must be tailored to “''specific features''” of a sector, as well as the “''specific needs of micro, small and medium-sized enterprises''”. Recital 98 and 99 provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “''risk likely to result from the [relevant] processing for the rights and freedoms of natural persons''”. According to the latter recital, the drafter “''should consult relevant stakeholders, including data subjects”'' in order to develop these codes. They should also duly consider the “''submissions received and views expressed in response to such consultations''”.
 
 
 
Article 40(2) provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive[[Article 40 GDPR#%20ftn10|[10]]] and are not necessarily cumulative.[[Article 40 GDPR#%20ftn11|[11]]] The Article provides the following examples of topics for the codes:
 
 
 
-      fairness and transparency in processing;
 
 
 
-      controllers’ legitimate interests in particular contexts;
 
 
 
-      collection of personal data;
 
 
 
-      pseudonymisation;
 
 
 
-      information to be provided to the public and to data subjects;
 
 
 
-      data subjects’ rights and their exercise;
 
 
 
-      processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent);
 
 
 
-      technical and organisational measures and the obligations to guarantee privacy by design and by default;
 
 
 
-      notification and communication of data breaches to the competent supervisory authority and to affected data subjects;
 
 
 
-      data transfers to third countries or international organisations; or
 
 
 
-      dispute resolution procedures.
 
 
 
Finally, Article 40(4) outlines that a code of conduct must necessarily[[Article 40 GDPR#%20ftn12|[12]]] contain information on how a monitoring body (provided for in Article 41 GDPR) can ensure compliance with the code of conduct. It is important to note that such monitoring should not (or will not) “''prejudice to the tasks and powers of supervisory authorities''”.
 
 
 
==== “shall encourage”. ====
 
Codes of conduct themselves not obligatory. Article 40(1) GDPR provides that Member States, supervisory authorities, the EDPB and the Commission shall “''encourage''” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) provides that relevant actors “''may''” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading.[[Article 40 GDPR#%20ftn13|[13]]] However, through a detailed reading of Article 40(1), there is a clear obligation imposed on Member States, Supervisory Authorities, the EDBP and the European Commission to encourage their draw up. Indeed the wording of Article 40(1) is that they “'''''shall''''' ''encourage''” (emphasis added).[[Article 40 GDPR#%20ftn14|[14]]]  
 
 
 
==== “associations and other bodies”. ====
 
According to Article 40(2), codes of conduct are to be drafted by trade associations and other bodies “''representing categories of controllers or processors''”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “''code owners''”.[[Article 40 GDPR#%20ftn15|[15]]]
 
 
 
There is some ambiguity in the wording of this GDPR provision. Article 40(1) outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) makes direct reference to “''associations and other bodies''”. Therefore, it could be suggested that controller or processor can take up the task of drafting a code. However, Recital 98 makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1)). Similarly, Article 40(5) only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.[[Article 40 GDPR#%20ftn16|[16]]]
 
 
 
==== Target audience for codes of conduct. ====
 
Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories of controllers and processors are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear as Article 40(1) specifies that the codes should take into account “''the specific features of the various processing sectors''”. '' ''
 
 
 
However, Article 40(3) provides that certain codes of conduct can be followed by controllers and processors of personal data that are '''not''' subject to the Regulation. Such codes must be approved by the competent data protection supervisory authority as per Article 40(5) and have gained general validity from the European Commission pursuant Article 40(9).[[Article 40 GDPR#%20ftn17|[17]]] The third country controllers and processors must also make “''binding and enforceable commitments''” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[[Article 40 GDPR#%20ftn18|[18]]] The hope is similarly that international codes will lead to the “''promotion and cultivation of the level of protection which the GDPR provides to the wider international community''”.[[Article 40 GDPR#%20ftn19|[19]]] However, the reality of this is quite different: no such codes of conduct have been adopted yet.[[Article 40 GDPR#%20ftn20|[20]]]
 
 
 
=== Approval of codes of conduct. ===
 
Article 40(5) outlines that associations and other bodies which “''intend to prepare a code of conduct or to amend or extend an existing [one]''” must submit their draft to the competent supervisory authority. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent authority should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.[[Article 40 GDPR#%20ftn21|[21]]] The supervisory authority will then approve the code, amendment or extension where it “''provides sufficient appropriate safeguards''”.
 
 
 
Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.
 
 
 
==== Competent authority. ====
 
Although Article 40(5) mentions that the competent supervisory authority will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explains how code owners may identify the competent authority in its Annex 2. This document provides factors that can be considered such as:
 
 
 
-      the Member State where there is most of the processing activity or sector;
 
 
 
-      the Member State where data subjects are most affected;
 
 
 
-      the Member State where the drafting association or other body has its headquarters;
 
 
 
-      the Member State where the monitoring body will have its headquarters; or
 
 
 
-      the Member State where a supervisory authority has developed initiatives in the specific field of the code of conduct.[[Article 40 GDPR#%20ftn22|[22]]]
 
 
 
==== Conditions for admissibility of a draft code. ====
 
The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent supervisory authority for approval.[[Article 40 GDPR#%20ftn23|[23]]] The content of draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.[[Article 40 GDPR#%20ftn24|[24]]]
 
 
 
===== Explanatory statement and supporting documentation. =====
 
The first step for admissibility of a draft code of conduct is to have a “''clear and concise explanatory statement''”. This will include an explanation of:
 
 
 
-      the purpose of the code;
 
 
 
-      the scope of the code; and
 
 
 
-      the way in which it will foster compliance with the GDPR.
 
 
 
Supporting documentation will also provide additional clarity.[[Article 40 GDPR#%20ftn25|[25]]]
 
 
 
===== Representing association or other bodies. =====
 
The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2)).
 
 
 
The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “''associations and other bodies''” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.[[Article 40 GDPR#%20ftn26|[26]]]
 
 
 
===== Processing scope. =====
 
The scope of application of the code must be sufficently precise. This includes information on the type of processing performed and the controllers and processors targeted by the code of conduct.[[Article 40 GDPR#%20ftn27|[27]]]
 
 
 
===== Territorial scope. =====
 
The drafters must clarify whether the code applies to processing within one Member State or several Member States. This will then facilitate the determination of whether further steps must be taken (i.e. general validity from the Commission, as elaborated upon in 4.3.).[[Article 40 GDPR#%20ftn28|[28]]]
 
 
 
===== Competent authority. =====
 
The code drafter must show the authority that they are competent. The competency of an authority it outlined above.
 
 
 
===== Oversight of mechanisms and monitoring body. =====
 
The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms[[Article 40 GDPR#%20ftn29|[29]]] that this body will apply to ensure compliance with the code of conduct.[[Article 40 GDPR#%20ftn30|[30]]]
 
 
 
===== Consultation. =====
 
The code drafters must consult relevant stakeholders such as data subjects and controllers and processors before the draft is considered admissible.[[Article 40 GDPR#%20ftn31|[31]]] This aspect is detailed above.
 
 
 
===== National legislation. =====
 
If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code affects national laws or the processing at stake is subject to a national law.[[Article 40 GDPR#%20ftn32|[32]]]
 
 
 
===== Language. =====
 
The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent authority’s language.[[Article 40 GDPR#%20ftn33|[33]]]
 
 
 
===== Checklist. =====
 
The code owner must ensure that they fulfill all the above conditions before submitting the code of conduct for approval.[[Article 40 GDPR#%20ftn34|[34]]] Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent supervisory authority.[[Article 40 GDPR#%20ftn35|[35]]]
 
 
 
==== Criteria for getting approval. ====
 
The EDPB Guidelines also provide a series of criteria that must be fullfiled by code owners in order to gain formal approval for their code, amendment or extension from the competent authority.[[Article 40 GDPR#%20ftn36|[36]]]  The following sections reflect the minimum cumulative requirements for approval.
 
 
 
Firstly, the code must address a specific need or a data protection issue that is common in a sector or in relation to a processing activity by a category of controllers or processors. The code owners must also demonstrate that it understands the problem and clearly show how the code proposes to resolve them in an “''effective and beneficial''” way for their members and data subjects. Without this, the code cannot get approval from the competent authority.[[Article 40 GDPR#%20ftn37|[37]]]
 
 
 
A key criterion for getting a code of conduct approved is described in Recital 98: the code owner must ensure that the code “''facilitate[s] the effective application of this Regulation''” in the sector or processing activity it seeks to address.
 
 
 
According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively):
 
 
 
-      clear improvements to ensure the targeted sector complies with the Regulation;
 
 
 
-      realistic and attainable standards for the controllers and processors targeted;
 
 
 
-      detailed information on data protection areas, such as those outlined in Article 40(2);
 
 
 
-      sufficiently clear and effective solutions to concerns over processing in this sector;
 
 
 
-      an “''operational meaning''” of the Article 5 GDPR principles; and
 
 
 
-      clarifications on any EDPD opinions or guidance for the specific sector.
 
 
 
The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the Regulation by providing information on how it “''shall apply in a specific, practical and precise manner''” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “''legalistic''” and by giving examples of good practice.[[Article 40 GDPR#%20ftn38|[38]]]
 
 
 
As outlined in Article 40(5), the code of conduct must provide sufficient appropriate safeguards, “''taking into account the risk likely to result from the processing for the rights and freedoms of natural persons''” (Recital 98).
 
 
 
An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures[[Article 40 GDPR#%20ftn39|[39]]] for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “''clear, suitable, attainable, efficient and enforceable (testable)''” according to the Guidelines.[[Article 40 GDPR#%20ftn40|[40]]]
 
 
 
==== Approval from the competent supervisory authority. ====
 
Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent supervisory can approve the draft code, amendment or extension pursuant to Article 40(5). The EDPB Guidelines suggest that the authority should do so within a “''reasonable period of time''”[[Article 40 GDPR#%20ftn41|[41]]] and update the code owners throughout the approval process.
 
 
 
The authority should justify its approval in line with the prerequisite criteria for admissibility and approval. Should the supervisory authority refuse to approve the code of conduct, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they want.[[Article 40 GDPR#%20ftn42|[42]]]  
 
 
 
=== General validity of codes of conduct for cross-border processing activities. ===
 
Codes relating to processing activities in several Member States are transnational codes which must be granted “''general validity''” (Articles 40(7) to 40(10)).
 
 
 
==== Role of the supervisory authorities. ====
 
The competent authority[[Article 40 GDPR#%20ftn43|[43]]] with which the code owner has submitted the draft code must determine whether this code fulfills the admissibility criteria mentionned in subsection 4.2.2. above before proceeding.[[Article 40 GDPR#%20ftn44|[44]]]
 
 
 
After this initial step, the authority will then notify other supervisory authorities about the transnational code of conduct pursuant to Article 40(7). These authorities will then confirm whether they are “''concerned supervisory authorities''” (see Article 4(22)(a) and (b) GDPR). Finally, the competent authority will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the principal authority intends to approve[[Article 40 GDPR#%20ftn45|[45]]] to the other concerned supervisory authorities with a 30 day deadline to give feedback.
 
 
 
As per Article 40(7) GDPR, the principal authority must then submit the draft code, amendment or extension, along with any responses from concerned supervisory authorities, to the EDPB.
 
 
 
==== Opinion by the European Data Protection Board. ====
 
The EDPB will then generate an opinion as to whether the code of conduct complies with the Regulation, as per Article 40(7). According to the terminology of Articles 40(7) and 40(8), the EDPB’s opinion should identify whether the draft code provides “''appropriate safeguards''”. This opinion shall follow the Rules of Procedure of the Board, as well as Article 64 GDPR.[[Article 40 GDPR#%20ftn46|[46]]] 
 
 
 
After confirming that the code of conduct provides “''appropriate safeguards''”, there is an obligation[[Article 40 GDPR#%20ftn47|[47]]] imposed on the EDPB to “''submit its opinion to the Commission''” (Article 40(8)).
 
 
 
==== “General validity” granted by the European Commission. ====
 
After receiving the opinion of the EDPB, the European Commission will be the one to determine, “''by way of implementing acts''”, whether to grant the code of conduct “''general validity within the Union''” as per Article 40(9). The Article specifies that the “''implementing acts''” referred to must be adopted in line with the examination procedure under Article 93(2) GDPR.
 
 
 
=== Publication of approved codes and codes with general validity. ===
 
Article 40 provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes).
 
 
 
==== Publication by the supervisory authority. ====
 
The competent supervisory authority that has approved the national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval.
 
 
 
==== Publication of a code with general validity. ====
 
According to Article 40(10), the Commission has responsibility over “''appropriate publicity''” that should be given to a transnational code of conduct which has been granted “''general validity''”.
 
 
 
It is uncertain whether the relevant supervisory authorities will have to publicise the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as according to Article 40(6).
 
 
 
==== Register of codes of conduct. ====
 
Article 40(11) GDPR stipulates that the European Data Protection Board shall keep a register on “''all approved codes of conduct, amendments and extensions''” which is freely accessible and available to all “''by way of appropriate means''”.
 
 
 
The wording Article 40(11) only specifically refers to “''approved codes''” without mentioning those with “''general validity''”. This could lead to some ambiguity as to the scope of Article 40(11).[[Article 40 GDPR#%20ftn48|[48]]] Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5) and (6) GDPR, as well as codes granted “''general validity''” by the European Commission as per Articles 40(7), (8), (9) and (10). The reason behind the assumption that Article 4(11) covers both types of codes of conduct is that it would not be logical for the EDPB to have to register codes of conduct approved by competent supervisory authorities throughout the European Union, but not those subject to their opinion before submitting them to the European Commission for “general validity”. Additionally, the wording or Article 40(11) refers to “''all approved codes of conducts''”, which most likely includes the “''[Commission] approved codes''” referred to in Article 40(10). The EDPB supports this.[[Article 40 GDPR#%20ftn49|[49]]]
 
 
 
The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands and one by Autocontrol (''Asociación para la Autorregulación de la Comunicación Comercial'') in Spain.[[Article 40 GDPR#%20ftn50|[50]]] However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such codes of conduct approved by the Austrian or Italian DPAs.[[Article 40 GDPR#%20ftn51|[51]]]
 
----[[Article 40 GDPR#%20ftnref1|[1]]] Alain Bensoussan, ''Reglement europeen sur la protection des donnees'' (2<sup>nd</sup> edn, Bruylant 2017) 290.
 
 
 
[[Article 40 GDPR#%20ftnref2|[2]]] EDPB, “Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679”, adopted on 4 June 2019 after public consultation, rev.02, 8.
 
 
 
[[Article 40 GDPR#%20ftnref3|[3]]] Articles 40 and 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.
 
 
 
[[Article 40 GDPR#%20ftnref4|[4]]] EDPB (n1) 5.
 
 
 
[[Article 40 GDPR#%20ftnref5|[5]]] Article 40(1).
 
 
 
[[Article 40 GDPR#%20ftnref6|[6]]] Article 40(2).
 
 
 
[[Article 40 GDPR#%20ftnref7|[7]]] EDPB (n1) 7.
 
 
 
[[Article 40 GDPR#%20ftnref8|[8]]] Ibid 9.
 
 
 
[[Article 40 GDPR#%20ftnref9|[9]]] There were only two codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (22/12/2020). See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 
 
 
[[Article 40 GDPR#%20ftnref10|[10]]] Article 40(2) uses the phrases “''such as with regard to''” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article. See EDPB (n1) 7.
 
 
 
[[Article 40 GDPR#%20ftnref11|[11]]] Article 40(2) uses the word “or” between subparagraph (j) and (k).
 
 
 
[[Article 40 GDPR#%20ftnref12|[12]]] “''shall''”.
 
 
 
[[Article 40 GDPR#%20ftnref13|[13]]] EDPB (n1) 7.
 
 
 
[[Article 40 GDPR#%20ftnref14|[14]]] The EDPB agrees with this reading. See ibid 6.
 
 
 
[[Article 40 GDPR#%20ftnref15|[15]]] Ibid 7.
 
 
 
[[Article 40 GDPR#%20ftnref16|[16]]] The EDPB even provides a non-exhaustive list of possible “''code owners''” including “''trade and representative associations, sectoral organisations, academic organisations and interest groups''”. See ibid 11.
 
 
 
[[Article 40 GDPR#%20ftnref17|[17]]] The details of Articles 40(5) and 40(9) are discussed below.
 
 
 
[[Article 40 GDPR#%20ftnref18|[18]]] See Article 46(2)(e) GDPR.
 
 
 
[[Article 40 GDPR#%20ftnref19|[19]]] EDPB (n1) 10.
 
 
 
[[Article 40 GDPR#%20ftnref20|[20]]] On the 22 December 2020, when this commentary was written. See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 
 
 
[[Article 40 GDPR#%20ftnref21|[21]]] EDPB (n1) 17.
 
 
 
[[Article 40 GDPR#%20ftnref22|[22]]] As per Article 55.
 
 
 
[[Article 40 GDPR#%20ftnref23|[23]]] EDPB (n1) 28.
 
 
 
[[Article 40 GDPR#%20ftnref24|[24]]] Ibid 17.
 
 
 
[[Article 40 GDPR#%20ftnref25|[25]]] Ibid 11.
 
 
 
[[Article 40 GDPR#%20ftnref26|[26]]] Ibid 11-12.
 
 
 
[[Article 40 GDPR#%20ftnref27|[27]]] Ibid 12.
 
 
 
[[Article 40 GDPR#%20ftnref28|[28]]] Ibid 12.
 
 
 
[[Article 40 GDPR#%20ftnref29|[29]]] See Article 41 for further information on monitoring bodies and the mechanisms.
 
 
 
[[Article 40 GDPR#%20ftnref30|[30]]] EDPB (n1) 12.
 
 
 
[[Article 40 GDPR#%20ftnref31|[31]]] Ibid 13.
 
 
 
[[Article 40 GDPR#%20ftnref32|[32]]] Ibid 13.
 
 
 
[[Article 40 GDPR#%20ftnref33|[33]]] Ibid 13.
 
 
 
[[Article 40 GDPR#%20ftnref34|[34]]] Ibid 14.
 
 
 
[[Article 40 GDPR#%20ftnref35|[35]]] Ibid 29.
 
 
 
[[Article 40 GDPR#%20ftnref36|[36]]] Ibid 28.
 
 
 
[[Article 40 GDPR#%20ftnref37|[37]]] Ibid 14.
 
 
 
[[Article 40 GDPR#%20ftnref38|[38]]] Ibid 15-16.
 
 
 
[[Article 40 GDPR#%20ftnref39|[39]]] For example, regular audits, reporting requirements, complaint handling and dispute resolution mechanisms as well as potential sanctions for failing to comply with the code of conduct.
 
 
 
[[Article 40 GDPR#%20ftnref40|[40]]] EDPB (n1) 16-17.
 
 
 
[[Article 40 GDPR#%20ftnref41|[41]]] Unless a specific time for approving a code of conduct is provided for in national law.
 
 
 
[[Article 40 GDPR#%20ftnref42|[42]]] EDPB (n1) 18.
 
 
 
[[Article 40 GDPR#%20ftnref43|[43]]] Details concerning the competency of the data protection authority outlined in 4.2.1 apply to transnational codes.
 
 
 
[[Article 40 GDPR#%20ftnref44|[44]]] EDPB (n1) 18.
 
 
 
[[Article 40 GDPR#%20ftnref45|[45]]] Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined in 4.2.3.
 
 
 
[[Article 40 GDPR#%20ftnref46|[46]]] EDPB (n1) 20.
 
 
 
[[Article 40 GDPR#%20ftnref47|[47]]] “''shall''”.
 
 
 
[[Article 40 GDPR#%20ftnref48|[48]]] See Article 40(3) which refers to both types of codes distinctly: “'''''codes of conduct approved''''' ''pursuant to paragraph 5 of this Article and '''[codes of conduct] having general validity''' pursuant to paragraph 9 of this Article...''”
 
 
 
[[Article 40 GDPR#%20ftnref49|[49]]] EDPB (n1) 20.
 
 
 
[[Article 40 GDPR#%20ftnref50|[50]]] On the 22 December 2020, when this commentary was written. See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 
 
 
[[Article 40 GDPR#%20ftnref51|[51]]] See, for example, Spanish DPA <nowiki>https://lnkd.in/e-jmVgK</nowiki>; Austrian DPA <nowiki>https://lnkd.in/eJaDmcB</nowiki>; Dutch DPA <nowiki>https://lnkd.in/eVpPdfr</nowiki>; Austrian DPA <nowiki>https://lnkd.in/eBgmP5x</nowiki>; Austrian DPA <nowiki>https://lnkd.in/ecTyuP4</nowiki>; Italian DPA <nowiki>https://lnkd.in/eJwSkJG</nowiki>.
 
 
 
==Decisions==
 
 
→ You can find all related decisions in [[:Category:Article 40 GDPR]]
 
→ You can find all related decisions in [[:Category:Article 40 GDPR]]
  
==References==
+
== References ==
 
<references />
 
<references />
  
 
[[Category:GDPR Articles]]
 
[[Category:GDPR Articles]]

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)