Difference between revisions of "Article 40 GDPR"

From GDPRhub
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
![[Article 39 GDPR|←]] Article 40 - Codes of conduct [[Article 41 GDPR|→]]
 
![[Article 39 GDPR|←]] Article 40 - Codes of conduct [[Article 41 GDPR|→]]
 
|-
 
|-
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]
+
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]
 
|-
 
|-
 
|
 
|
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 17: Line 17:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 31: Line 31:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 50: Line 50:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 77: Line 77:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 91: Line 91:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 107: Line 107:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 131: Line 131:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 146: Line 146:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 160: Line 160:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 169: Line 169:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 184: Line 184:
 
|}
 
|}
  
== Legal Text ==
+
==Legal Text==
 
<br /><center>'''Article 40 - Codes of conduct'''</center><br />
 
<br /><center>'''Article 40 - Codes of conduct'''</center><br />
  
Line 238: Line 238:
 
</div></div>
 
</div></div>
  
==Relevant Recitals==
 
 
<span id="r99">
 
<span id="r99">
 
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 99''' </div>
 
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 99''' </div>
Line 245: Line 244:
 
</div></div>
 
</div></div>
  
== Commentary ==
+
==Commentary==
 +
 
 +
=== Overview ===
 +
Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance with the Regulation.
 +
 
 +
Article 40 GDPR elaborates upon an already existing provision under the Data Protection Directive 95/46/EC (Article 27(1) Directive). Accordingly, certain codes of conduct have already been elaborated under Article 27 Directive. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (hereafter, “WP29”).[[Article 40 GDPR#%20ftn1|[1]]]According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), Article 40 of the GDPR provides more “''specific and detailed provisions''” concerning the requirements and procedural aspects for drafting codes than the Directive.[[Article 40 GDPR#%20ftn2|[2]]]
 +
 
 +
The aim of Article 40 and 41 GDPR[[Article 40 GDPR#%20ftn3|[3]]] is to ensure a “''practical, potentially cost effective and meaningful method to achieve greater levels of consistency''” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[[Article 40 GDPR#%20ftn4|[4]]]
 +
 
 +
=== Drawing up codes of conduct. ===
 +
It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up and who is targeted by these voluntary documents.
 +
 
 +
==== Rationale for codes of conduct. ====
 +
According to Article 40, the purpose of a code of conducts is to “''[contribute] to the proper application''”[[Article 40 GDPR#%20ftn5|[5]]], as well as “''[specify] the application''”[[Article 40 GDPR#%20ftn6|[6]]] of the Regulation. Additionally, they may be developed to “''calibrate the obligations of controllers and processors''” according to Recital 98. As such, codes are intended to be an additional accountability tool which acts as a “''rulebook for controllers and processors''” that fall within the scope of the GDPR (and in certain cases, see  below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligation under the GDPR.[[Article 40 GDPR#%20ftn7|[7]]]
 +
 
 +
Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection supervisory authorities from controllers and processors seeking advice  about the legality of their processing activities under the Regulation.[[Article 40 GDPR#%20ftn8|[8]]] This is, in theory, a strong argument in favour of developing codes of conduct and the corresponding monitoring bodies (as discussed in the commentary on Article 41). However, not many associations or other bodies have made use of this possibility under the GDPR.[[Article 40 GDPR#%20ftn9|[9]]] As such, data controllers and processors remain reliant on supervisory authorities for guidance on compliance with the GDPR. Unfortunately, guidance from these authorities will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.
 +
 
 +
==== Content of the codes of conduct. ====
 +
Article 40(1) clarifies that codes of conduct must be tailored to “''specific features''” of a sector, as well as the “''specific needs of micro, small and medium-sized enterprises''”. Recital 98 and 99 provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “''risk likely to result from the [relevant] processing for the rights and freedoms of natural persons''”. According to the latter recital, the drafter “''should consult relevant stakeholders, including data subjects”'' in order to develop these codes. They should also duly consider the “''submissions received and views expressed in response to such consultations''”.
 +
 
 +
Article 40(2) provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive[[Article 40 GDPR#%20ftn10|[10]]] and are not necessarily cumulative.[[Article 40 GDPR#%20ftn11|[11]]] The Article provides the following examples of topics for the codes:
 +
 
 +
-      fairness and transparency in processing;
 +
 
 +
-      controllers’ legitimate interests in particular contexts;
 +
 
 +
-      collection of personal data;
 +
 
 +
-      pseudonymisation;
 +
 
 +
-      information to be provided to the public and to data subjects;
 +
 
 +
-      data subjects’ rights and their exercise;
 +
 
 +
-      processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent);
 +
 
 +
-      technical and organisational measures and the obligations to guarantee privacy by design and by default;
 +
 
 +
-      notification and communication of data breaches to the competent supervisory authority and to affected data subjects;
 +
 
 +
-      data transfers to third countries or international organisations; or
 +
 
 +
-      dispute resolution procedures.
 +
 
 +
Finally, Article 40(4) outlines that a code of conduct must necessarily[[Article 40 GDPR#%20ftn12|[12]]] contain information on how a monitoring body (provided for in Article 41 GDPR) can ensure compliance with the code of conduct. It is important to note that such monitoring should not (or will not) “''prejudice to the tasks and powers of supervisory authorities''”.
 +
 
 +
==== “shall encourage”. ====
 +
Codes of conduct themselves not obligatory. Article 40(1) GDPR provides that Member States, supervisory authorities, the EDPB and the Commission shall “''encourage''” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) provides that relevant actors “''may''” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading.[[Article 40 GDPR#%20ftn13|[13]]] However, through a detailed reading of Article 40(1), there is a clear obligation imposed on Member States, Supervisory Authorities, the EDBP and the European Commission to encourage their draw up. Indeed the wording of Article 40(1) is that they “'''''shall''''' ''encourage''” (emphasis added).[[Article 40 GDPR#%20ftn14|[14]]]  
 +
 
 +
==== “associations and other bodies”. ====
 +
According to Article 40(2), codes of conduct are to be drafted by trade associations and other bodies “''representing categories of controllers or processors''”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “''code owners''”.[[Article 40 GDPR#%20ftn15|[15]]]
 +
 
 +
There is some ambiguity in the wording of this GDPR provision. Article 40(1) outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) makes direct reference to “''associations and other bodies''”. Therefore, it could be suggested that controller or processor can take up the task of drafting a code. However, Recital 98 makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1)). Similarly, Article 40(5) only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.[[Article 40 GDPR#%20ftn16|[16]]]
 +
 
 +
==== Target audience for codes of conduct. ====
 +
Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories of controllers and processors are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear as Article 40(1) specifies that the codes should take into account “''the specific features of the various processing sectors''”. '' ''
 +
 
 +
However, Article 40(3) provides that certain codes of conduct can be followed by controllers and processors of personal data that are '''not''' subject to the Regulation. Such codes must be approved by the competent data protection supervisory authority as per Article 40(5) and have gained general validity from the European Commission pursuant Article 40(9).[[Article 40 GDPR#%20ftn17|[17]]] The third country controllers and processors must also make “''binding and enforceable commitments''” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[[Article 40 GDPR#%20ftn18|[18]]] The hope is similarly that international codes will lead to the “''promotion and cultivation of the level of protection which the GDPR provides to the wider international community''”.[[Article 40 GDPR#%20ftn19|[19]]] However, the reality of this is quite different: no such codes of conduct have been adopted yet.[[Article 40 GDPR#%20ftn20|[20]]]
 +
 
 +
=== Approval of codes of conduct. ===
 +
Article 40(5) outlines that associations and other bodies which “''intend to prepare a code of conduct or to amend or extend an existing [one]''” must submit their draft to the competent supervisory authority. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent authority should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.[[Article 40 GDPR#%20ftn21|[21]]] The supervisory authority will then approve the code, amendment or extension where it “''provides sufficient appropriate safeguards''”.
 +
 
 +
Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.
 +
 
 +
==== Competent authority. ====
 +
Although Article 40(5) mentions that the competent supervisory authority will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explains how code owners may identify the competent authority in its Annex 2. This document provides factors that can be considered such as:
 +
 
 +
-      the Member State where there is most of the processing activity or sector;
 +
 
 +
-      the Member State where data subjects are most affected;
 +
 
 +
-      the Member State where the drafting association or other body has its headquarters;
 +
 
 +
-      the Member State where the monitoring body will have its headquarters; or
 +
 
 +
-      the Member State where a supervisory authority has developed initiatives in the specific field of the code of conduct.[[Article 40 GDPR#%20ftn22|[22]]]
 +
 
 +
==== Conditions for admissibility of a draft code. ====
 +
The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent supervisory authority for approval.[[Article 40 GDPR#%20ftn23|[23]]] The content of draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.[[Article 40 GDPR#%20ftn24|[24]]]
 +
 
 +
===== Explanatory statement and supporting documentation. =====
 +
The first step for admissibility of a draft code of conduct is to have a “''clear and concise explanatory statement''”. This will include an explanation of:
 +
 
 +
-      the purpose of the code;
 +
 
 +
-      the scope of the code; and
 +
 
 +
-      the way in which it will foster compliance with the GDPR.
 +
 
 +
Supporting documentation will also provide additional clarity.[[Article 40 GDPR#%20ftn25|[25]]]
 +
 
 +
===== Representing association or other bodies. =====
 +
The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2)).
 +
 
 +
The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “''associations and other bodies''” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.[[Article 40 GDPR#%20ftn26|[26]]]
 +
 
 +
===== Processing scope. =====
 +
The scope of application of the code must be sufficently precise. This includes information on the type of processing performed and the controllers and processors targeted by the code of conduct.[[Article 40 GDPR#%20ftn27|[27]]]
 +
 
 +
===== Territorial scope. =====
 +
The drafters must clarify whether the code applies to processing within one Member State or several Member States. This will then facilitate the determination of whether further steps must be taken (i.e. general validity from the Commission, as elaborated upon in 4.3.).[[Article 40 GDPR#%20ftn28|[28]]]
 +
 
 +
===== Competent authority. =====
 +
The code drafter must show the authority that they are competent. The competency of an authority it outlined above.
 +
 
 +
===== Oversight of mechanisms and monitoring body. =====
 +
The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms[[Article 40 GDPR#%20ftn29|[29]]] that this body will apply to ensure compliance with the code of conduct.[[Article 40 GDPR#%20ftn30|[30]]]
 +
 
 +
===== Consultation. =====
 +
The code drafters must consult relevant stakeholders such as data subjects and controllers and processors before the draft is considered admissible.[[Article 40 GDPR#%20ftn31|[31]]] This aspect is detailed above.
 +
 
 +
===== National legislation. =====
 +
If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code affects national laws or the processing at stake is subject to a national law.[[Article 40 GDPR#%20ftn32|[32]]]
 +
 
 +
===== Language. =====
 +
The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent authority’s language.[[Article 40 GDPR#%20ftn33|[33]]]
 +
 
 +
===== Checklist. =====
 +
The code owner must ensure that they fulfill all the above conditions before submitting the code of conduct for approval.[[Article 40 GDPR#%20ftn34|[34]]] Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent supervisory authority.[[Article 40 GDPR#%20ftn35|[35]]]
 +
 
 +
==== Criteria for getting approval. ====
 +
The EDPB Guidelines also provide a series of criteria that must be fullfiled by code owners in order to gain formal approval for their code, amendment or extension from the competent authority.[[Article 40 GDPR#%20ftn36|[36]]]  The following sections reflect the minimum cumulative requirements for approval.
 +
 
 +
Firstly, the code must address a specific need or a data protection issue that is common in a sector or in relation to a processing activity by a category of controllers or processors. The code owners must also demonstrate that it understands the problem and clearly show how the code proposes to resolve them in an “''effective and beneficial''” way for their members and data subjects. Without this, the code cannot get approval from the competent authority.[[Article 40 GDPR#%20ftn37|[37]]]
 +
 
 +
A key criterion for getting a code of conduct approved is described in Recital 98: the code owner must ensure that the code “''facilitate[s] the effective application of this Regulation''” in the sector or processing activity it seeks to address.
 +
 
 +
According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively):
 +
 
 +
-      clear improvements to ensure the targeted sector complies with the Regulation;
 +
 
 +
-      realistic and attainable standards for the controllers and processors targeted;
 +
 
 +
-      detailed information on data protection areas, such as those outlined in Article 40(2);
 +
 
 +
-      sufficiently clear and effective solutions to concerns over processing in this sector;
 +
 
 +
-      an “''operational meaning''” of the Article 5 GDPR principles; and
 +
 
 +
-      clarifications on any EDPD opinions or guidance for the specific sector.
 +
 
 +
The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the Regulation by providing information on how it “''shall apply in a specific, practical and precise manner''” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “''legalistic''” and by giving examples of good practice.[[Article 40 GDPR#%20ftn38|[38]]]
 +
 
 +
As outlined in Article 40(5), the code of conduct must provide sufficient appropriate safeguards, “''taking into account the risk likely to result from the processing for the rights and freedoms of natural persons''” (Recital 98).
 +
 
 +
An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures[[Article 40 GDPR#%20ftn39|[39]]] for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “''clear, suitable, attainable, efficient and enforceable (testable)''” according to the Guidelines.[[Article 40 GDPR#%20ftn40|[40]]]
 +
 
 +
==== Approval from the competent supervisory authority. ====
 +
Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent supervisory can approve the draft code, amendment or extension pursuant to Article 40(5). The EDPB Guidelines suggest that the authority should do so within a “''reasonable period of time''”[[Article 40 GDPR#%20ftn41|[41]]] and update the code owners throughout the approval process.
 +
 
 +
The authority should justify its approval in line with the prerequisite criteria for admissibility and approval. Should the supervisory authority refuse to approve the code of conduct, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they want.[[Article 40 GDPR#%20ftn42|[42]]]  
 +
 
 +
=== General validity of codes of conduct for cross-border processing activities. ===
 +
Codes relating to processing activities in several Member States are transnational codes which must be granted “''general validity''” (Articles 40(7) to 40(10)).
 +
 
 +
==== Role of the supervisory authorities. ====
 +
The competent authority[[Article 40 GDPR#%20ftn43|[43]]] with which the code owner has submitted the draft code must determine whether this code fulfills the admissibility criteria mentionned in subsection 4.2.2. above before proceeding.[[Article 40 GDPR#%20ftn44|[44]]]
 +
 
 +
After this initial step, the authority will then notify other supervisory authorities about the transnational code of conduct pursuant to Article 40(7). These authorities will then confirm whether they are “''concerned supervisory authorities''” (see Article 4(22)(a) and (b) GDPR). Finally, the competent authority will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the principal authority intends to approve[[Article 40 GDPR#%20ftn45|[45]]] to the other concerned supervisory authorities with a 30 day deadline to give feedback.
 +
 
 +
As per Article 40(7) GDPR, the principal authority must then submit the draft code, amendment or extension, along with any responses from concerned supervisory authorities, to the EDPB.
 +
 
 +
==== Opinion by the European Data Protection Board. ====
 +
The EDPB will then generate an opinion as to whether the code of conduct complies with the Regulation, as per Article 40(7). According to the terminology of Articles 40(7) and 40(8), the EDPB’s opinion should identify whether the draft code provides “''appropriate safeguards''”. This opinion shall follow the Rules of Procedure of the Board, as well as Article 64 GDPR.[[Article 40 GDPR#%20ftn46|[46]]] 
 +
 
 +
After confirming that the code of conduct provides “''appropriate safeguards''”, there is an obligation[[Article 40 GDPR#%20ftn47|[47]]] imposed on the EDPB to “''submit its opinion to the Commission''” (Article 40(8)).
 +
 
 +
==== “General validity” granted by the European Commission. ====
 +
After receiving the opinion of the EDPB, the European Commission will be the one to determine, “''by way of implementing acts''”, whether to grant the code of conduct “''general validity within the Union''” as per Article 40(9). The Article specifies that the “''implementing acts''” referred to must be adopted in line with the examination procedure under Article 93(2) GDPR.
 +
 
 +
=== Publication of approved codes and codes with general validity. ===
 +
Article 40 provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes).
 +
 
 +
==== Publication by the supervisory authority. ====
 +
The competent supervisory authority that has approved the national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval.
 +
 
 +
==== Publication of a code with general validity. ====
 +
According to Article 40(10), the Commission has responsibility over “''appropriate publicity''” that should be given to a transnational code of conduct which has been granted “''general validity''”.
 +
 
 +
It is uncertain whether the relevant supervisory authorities will have to publicise the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as according to Article 40(6).
 +
 
 +
==== Register of codes of conduct. ====
 +
Article 40(11) GDPR stipulates that the European Data Protection Board shall keep a register on “''all approved codes of conduct, amendments and extensions''” which is freely accessible and available to all “''by way of appropriate means''”.
 +
 
 +
The wording Article 40(11) only specifically refers to “''approved codes''” without mentioning those with “''general validity''”. This could lead to some ambiguity as to the scope of Article 40(11).[[Article 40 GDPR#%20ftn48|[48]]] Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5) and (6) GDPR, as well as codes granted “''general validity''” by the European Commission as per Articles 40(7), (8), (9) and (10). The reason behind the assumption that Article 4(11) covers both types of codes of conduct is that it would not be logical for the EDPB to have to register codes of conduct approved by competent supervisory authorities throughout the European Union, but not those subject to their opinion before submitting them to the European Commission for “general validity”. Additionally, the wording or Article 40(11) refers to “''all approved codes of conducts''”, which most likely includes the “''[Commission] approved codes''” referred to in Article 40(10). The EDPB supports this.[[Article 40 GDPR#%20ftn49|[49]]]
 +
 
 +
The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands and one by Autocontrol (''Asociación para la Autorregulación de la Comunicación Comercial'') in Spain.[[Article 40 GDPR#%20ftn50|[50]]] However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such codes of conduct approved by the Austrian or Italian DPAs.[[Article 40 GDPR#%20ftn51|[51]]]
 +
----[[Article 40 GDPR#%20ftnref1|[1]]] Alain Bensoussan, ''Reglement europeen sur la protection des donnees'' (2<sup>nd</sup> edn, Bruylant 2017) 290.
 +
 
 +
[[Article 40 GDPR#%20ftnref2|[2]]] EDPB, “Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679”, adopted on 4 June 2019 after public consultation, rev.02, 8.
 +
 
 +
[[Article 40 GDPR#%20ftnref3|[3]]] Articles 40 and 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.
 +
 
 +
[[Article 40 GDPR#%20ftnref4|[4]]] EDPB (n1) 5.
 +
 
 +
[[Article 40 GDPR#%20ftnref5|[5]]] Article 40(1).
 +
 
 +
[[Article 40 GDPR#%20ftnref6|[6]]] Article 40(2).
 +
 
 +
[[Article 40 GDPR#%20ftnref7|[7]]] EDPB (n1) 7.
 +
 
 +
[[Article 40 GDPR#%20ftnref8|[8]]] Ibid 9.
 +
 
 +
[[Article 40 GDPR#%20ftnref9|[9]]] There were only two codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (22/12/2020). See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 +
 
 +
[[Article 40 GDPR#%20ftnref10|[10]]] Article 40(2) uses the phrases “''such as with regard to''” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article. See EDPB (n1) 7.
 +
 
 +
[[Article 40 GDPR#%20ftnref11|[11]]] Article 40(2) uses the word “or” between subparagraph (j) and (k).
 +
 
 +
[[Article 40 GDPR#%20ftnref12|[12]]] “''shall''”.
 +
 
 +
[[Article 40 GDPR#%20ftnref13|[13]]] EDPB (n1) 7.
 +
 
 +
[[Article 40 GDPR#%20ftnref14|[14]]] The EDPB agrees with this reading. See ibid 6.
 +
 
 +
[[Article 40 GDPR#%20ftnref15|[15]]] Ibid 7.
 +
 
 +
[[Article 40 GDPR#%20ftnref16|[16]]] The EDPB even provides a non-exhaustive list of possible “''code owners''” including “''trade and representative associations, sectoral organisations, academic organisations and interest groups''”. See ibid 11.
 +
 
 +
[[Article 40 GDPR#%20ftnref17|[17]]] The details of Articles 40(5) and 40(9) are discussed below.
 +
 
 +
[[Article 40 GDPR#%20ftnref18|[18]]] See Article 46(2)(e) GDPR.
 +
 
 +
[[Article 40 GDPR#%20ftnref19|[19]]] EDPB (n1) 10.
 +
 
 +
[[Article 40 GDPR#%20ftnref20|[20]]] On the 22 December 2020, when this commentary was written. See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 +
 
 +
[[Article 40 GDPR#%20ftnref21|[21]]] EDPB (n1) 17.
 +
 
 +
[[Article 40 GDPR#%20ftnref22|[22]]] As per Article 55.
 +
 
 +
[[Article 40 GDPR#%20ftnref23|[23]]] EDPB (n1) 28.
 +
 
 +
[[Article 40 GDPR#%20ftnref24|[24]]] Ibid 17.
 +
 
 +
[[Article 40 GDPR#%20ftnref25|[25]]] Ibid 11.
 +
 
 +
[[Article 40 GDPR#%20ftnref26|[26]]] Ibid 11-12.
 +
 
 +
[[Article 40 GDPR#%20ftnref27|[27]]] Ibid 12.
 +
 
 +
[[Article 40 GDPR#%20ftnref28|[28]]] Ibid 12.
 +
 
 +
[[Article 40 GDPR#%20ftnref29|[29]]] See Article 41 for further information on monitoring bodies and the mechanisms.
 +
 
 +
[[Article 40 GDPR#%20ftnref30|[30]]] EDPB (n1) 12.
 +
 
 +
[[Article 40 GDPR#%20ftnref31|[31]]] Ibid 13.
 +
 
 +
[[Article 40 GDPR#%20ftnref32|[32]]] Ibid 13.
 +
 
 +
[[Article 40 GDPR#%20ftnref33|[33]]] Ibid 13.
 +
 
 +
[[Article 40 GDPR#%20ftnref34|[34]]] Ibid 14.
 +
 
 +
[[Article 40 GDPR#%20ftnref35|[35]]] Ibid 29.
 +
 
 +
[[Article 40 GDPR#%20ftnref36|[36]]] Ibid 28.
 +
 
 +
[[Article 40 GDPR#%20ftnref37|[37]]] Ibid 14.
 +
 
 +
[[Article 40 GDPR#%20ftnref38|[38]]] Ibid 15-16.
 +
 
 +
[[Article 40 GDPR#%20ftnref39|[39]]] For example, regular audits, reporting requirements, complaint handling and dispute resolution mechanisms as well as potential sanctions for failing to comply with the code of conduct.
 +
 
 +
[[Article 40 GDPR#%20ftnref40|[40]]] EDPB (n1) 16-17.
 +
 
 +
[[Article 40 GDPR#%20ftnref41|[41]]] Unless a specific time for approving a code of conduct is provided for in national law.
 +
 
 +
[[Article 40 GDPR#%20ftnref42|[42]]] EDPB (n1) 18.
 +
 
 +
[[Article 40 GDPR#%20ftnref43|[43]]] Details concerning the competency of the data protection authority outlined in 4.2.1 apply to transnational codes.
 +
 
 +
[[Article 40 GDPR#%20ftnref44|[44]]] EDPB (n1) 18.
 +
 
 +
[[Article 40 GDPR#%20ftnref45|[45]]] Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined in 4.2.3.
 +
 
 +
[[Article 40 GDPR#%20ftnref46|[46]]] EDPB (n1) 20.
 +
 
 +
[[Article 40 GDPR#%20ftnref47|[47]]] “''shall''”.
 +
 
 +
[[Article 40 GDPR#%20ftnref48|[48]]] See Article 40(3) which refers to both types of codes distinctly: “'''''codes of conduct approved''''' ''pursuant to paragraph 5 of this Article and '''[codes of conduct] having general validity''' pursuant to paragraph 9 of this Article...''”
 +
 
 +
[[Article 40 GDPR#%20ftnref49|[49]]] EDPB (n1) 20.
 +
 
 +
[[Article 40 GDPR#%20ftnref50|[50]]] On the 22 December 2020, when this commentary was written. See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
  
''You can help us fill this section!''
+
[[Article 40 GDPR#%20ftnref51|[51]]] See, for example, Spanish DPA <nowiki>https://lnkd.in/e-jmVgK</nowiki>; Austrian DPA <nowiki>https://lnkd.in/eJaDmcB</nowiki>; Dutch DPA <nowiki>https://lnkd.in/eVpPdfr</nowiki>; Austrian DPA <nowiki>https://lnkd.in/eBgmP5x</nowiki>; Austrian DPA <nowiki>https://lnkd.in/ecTyuP4</nowiki>; Italian DPA <nowiki>https://lnkd.in/eJwSkJG</nowiki>.
  
== Decisions ==
+
==Decisions==
 
→ You can find all related decisions in [[:Category:Article 40 GDPR]]
 
→ You can find all related decisions in [[:Category:Article 40 GDPR]]
  
== References ==
+
==References==
 
<references />
 
<references />
  
 
[[Category:GDPR Articles]]
 
[[Category:GDPR Articles]]

Latest revision as of 17:12, 8 February 2021

Article 40 - Codes of conduct
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]


Article 40 - Codes of conduct


1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

Relevant Recitals[edit | edit source]

Recital 98

Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

Recital 99

When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

Commentary[edit | edit source]

Overview[edit | edit source]

Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance with the Regulation.

Article 40 GDPR elaborates upon an already existing provision under the Data Protection Directive 95/46/EC (Article 27(1) Directive). Accordingly, certain codes of conduct have already been elaborated under Article 27 Directive. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (hereafter, “WP29”).[1]According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), Article 40 of the GDPR provides more “specific and detailed provisions” concerning the requirements and procedural aspects for drafting codes than the Directive.[2]

The aim of Article 40 and 41 GDPR[3] is to ensure a “practical, potentially cost effective and meaningful method to achieve greater levels of consistency” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[4]

Drawing up codes of conduct.[edit | edit source]

It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up and who is targeted by these voluntary documents.

Rationale for codes of conduct.[edit | edit source]

According to Article 40, the purpose of a code of conducts is to “[contribute] to the proper application[5], as well as “[specify] the application[6] of the Regulation. Additionally, they may be developed to “calibrate the obligations of controllers and processors” according to Recital 98. As such, codes are intended to be an additional accountability tool which acts as a “rulebook for controllers and processors” that fall within the scope of the GDPR (and in certain cases, see  below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligation under the GDPR.[7]

Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection supervisory authorities from controllers and processors seeking advice  about the legality of their processing activities under the Regulation.[8] This is, in theory, a strong argument in favour of developing codes of conduct and the corresponding monitoring bodies (as discussed in the commentary on Article 41). However, not many associations or other bodies have made use of this possibility under the GDPR.[9] As such, data controllers and processors remain reliant on supervisory authorities for guidance on compliance with the GDPR. Unfortunately, guidance from these authorities will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.

Content of the codes of conduct.[edit | edit source]

Article 40(1) clarifies that codes of conduct must be tailored to “specific features” of a sector, as well as the “specific needs of micro, small and medium-sized enterprises”. Recital 98 and 99 provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “risk likely to result from the [relevant] processing for the rights and freedoms of natural persons”. According to the latter recital, the drafter “should consult relevant stakeholders, including data subjects” in order to develop these codes. They should also duly consider the “submissions received and views expressed in response to such consultations”.

Article 40(2) provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive[10] and are not necessarily cumulative.[11] The Article provides the following examples of topics for the codes:

-      fairness and transparency in processing;

-      controllers’ legitimate interests in particular contexts;

-      collection of personal data;

-      pseudonymisation;

-      information to be provided to the public and to data subjects;

-      data subjects’ rights and their exercise;

-      processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent);

-      technical and organisational measures and the obligations to guarantee privacy by design and by default;

-      notification and communication of data breaches to the competent supervisory authority and to affected data subjects;

-      data transfers to third countries or international organisations; or

-      dispute resolution procedures.

Finally, Article 40(4) outlines that a code of conduct must necessarily[12] contain information on how a monitoring body (provided for in Article 41 GDPR) can ensure compliance with the code of conduct. It is important to note that such monitoring should not (or will not) “prejudice to the tasks and powers of supervisory authorities”.

“shall encourage”.[edit | edit source]

Codes of conduct themselves not obligatory. Article 40(1) GDPR provides that Member States, supervisory authorities, the EDPB and the Commission shall “encourage” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) provides that relevant actors “may” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading.[13] However, through a detailed reading of Article 40(1), there is a clear obligation imposed on Member States, Supervisory Authorities, the EDBP and the European Commission to encourage their draw up. Indeed the wording of Article 40(1) is that they “shall encourage” (emphasis added).[14]  

“associations and other bodies”.[edit | edit source]

According to Article 40(2), codes of conduct are to be drafted by trade associations and other bodies “representing categories of controllers or processors”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “code owners”.[15]

There is some ambiguity in the wording of this GDPR provision. Article 40(1) outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) makes direct reference to “associations and other bodies”. Therefore, it could be suggested that controller or processor can take up the task of drafting a code. However, Recital 98 makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1)). Similarly, Article 40(5) only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.[16]

Target audience for codes of conduct.[edit | edit source]

Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories of controllers and processors are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear as Article 40(1) specifies that the codes should take into account “the specific features of the various processing sectors”.  

However, Article 40(3) provides that certain codes of conduct can be followed by controllers and processors of personal data that are not subject to the Regulation. Such codes must be approved by the competent data protection supervisory authority as per Article 40(5) and have gained general validity from the European Commission pursuant Article 40(9).[17] The third country controllers and processors must also make “binding and enforceable commitments” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[18] The hope is similarly that international codes will lead to the “promotion and cultivation of the level of protection which the GDPR provides to the wider international community”.[19] However, the reality of this is quite different: no such codes of conduct have been adopted yet.[20]

Approval of codes of conduct.[edit | edit source]

Article 40(5) outlines that associations and other bodies which “intend to prepare a code of conduct or to amend or extend an existing [one]” must submit their draft to the competent supervisory authority. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent authority should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.[21] The supervisory authority will then approve the code, amendment or extension where it “provides sufficient appropriate safeguards”.

Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.

Competent authority.[edit | edit source]

Although Article 40(5) mentions that the competent supervisory authority will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explains how code owners may identify the competent authority in its Annex 2. This document provides factors that can be considered such as:

-      the Member State where there is most of the processing activity or sector;

-      the Member State where data subjects are most affected;

-      the Member State where the drafting association or other body has its headquarters;

-      the Member State where the monitoring body will have its headquarters; or

-      the Member State where a supervisory authority has developed initiatives in the specific field of the code of conduct.[22]

Conditions for admissibility of a draft code.[edit | edit source]

The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent supervisory authority for approval.[23] The content of draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.[24]

Explanatory statement and supporting documentation.[edit | edit source]

The first step for admissibility of a draft code of conduct is to have a “clear and concise explanatory statement”. This will include an explanation of:

-      the purpose of the code;

-      the scope of the code; and

-      the way in which it will foster compliance with the GDPR.

Supporting documentation will also provide additional clarity.[25]

Representing association or other bodies.[edit | edit source]

The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2)).

The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “associations and other bodies” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.[26]

Processing scope.[edit | edit source]

The scope of application of the code must be sufficently precise. This includes information on the type of processing performed and the controllers and processors targeted by the code of conduct.[27]

Territorial scope.[edit | edit source]

The drafters must clarify whether the code applies to processing within one Member State or several Member States. This will then facilitate the determination of whether further steps must be taken (i.e. general validity from the Commission, as elaborated upon in 4.3.).[28]

Competent authority.[edit | edit source]

The code drafter must show the authority that they are competent. The competency of an authority it outlined above.

Oversight of mechanisms and monitoring body.[edit | edit source]

The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms[29] that this body will apply to ensure compliance with the code of conduct.[30]

Consultation.[edit | edit source]

The code drafters must consult relevant stakeholders such as data subjects and controllers and processors before the draft is considered admissible.[31] This aspect is detailed above.

National legislation.[edit | edit source]

If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code affects national laws or the processing at stake is subject to a national law.[32]

Language.[edit | edit source]

The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent authority’s language.[33]

Checklist.[edit | edit source]

The code owner must ensure that they fulfill all the above conditions before submitting the code of conduct for approval.[34] Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent supervisory authority.[35]

Criteria for getting approval.[edit | edit source]

The EDPB Guidelines also provide a series of criteria that must be fullfiled by code owners in order to gain formal approval for their code, amendment or extension from the competent authority.[36]  The following sections reflect the minimum cumulative requirements for approval.

Firstly, the code must address a specific need or a data protection issue that is common in a sector or in relation to a processing activity by a category of controllers or processors. The code owners must also demonstrate that it understands the problem and clearly show how the code proposes to resolve them in an “effective and beneficial” way for their members and data subjects. Without this, the code cannot get approval from the competent authority.[37]

A key criterion for getting a code of conduct approved is described in Recital 98: the code owner must ensure that the code “facilitate[s] the effective application of this Regulation” in the sector or processing activity it seeks to address.

According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively):

-      clear improvements to ensure the targeted sector complies with the Regulation;

-      realistic and attainable standards for the controllers and processors targeted;

-      detailed information on data protection areas, such as those outlined in Article 40(2);

-      sufficiently clear and effective solutions to concerns over processing in this sector;

-      an “operational meaning” of the Article 5 GDPR principles; and

-      clarifications on any EDPD opinions or guidance for the specific sector.

The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the Regulation by providing information on how it “shall apply in a specific, practical and precise manner” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “legalistic” and by giving examples of good practice.[38]

As outlined in Article 40(5), the code of conduct must provide sufficient appropriate safeguards, “taking into account the risk likely to result from the processing for the rights and freedoms of natural persons” (Recital 98).

An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures[39] for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “clear, suitable, attainable, efficient and enforceable (testable)” according to the Guidelines.[40]

Approval from the competent supervisory authority.[edit | edit source]

Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent supervisory can approve the draft code, amendment or extension pursuant to Article 40(5). The EDPB Guidelines suggest that the authority should do so within a “reasonable period of time[41] and update the code owners throughout the approval process.

The authority should justify its approval in line with the prerequisite criteria for admissibility and approval. Should the supervisory authority refuse to approve the code of conduct, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they want.[42]  

General validity of codes of conduct for cross-border processing activities.[edit | edit source]

Codes relating to processing activities in several Member States are transnational codes which must be granted “general validity” (Articles 40(7) to 40(10)).

Role of the supervisory authorities.[edit | edit source]

The competent authority[43] with which the code owner has submitted the draft code must determine whether this code fulfills the admissibility criteria mentionned in subsection 4.2.2. above before proceeding.[44]

After this initial step, the authority will then notify other supervisory authorities about the transnational code of conduct pursuant to Article 40(7). These authorities will then confirm whether they are “concerned supervisory authorities” (see Article 4(22)(a) and (b) GDPR). Finally, the competent authority will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the principal authority intends to approve[45] to the other concerned supervisory authorities with a 30 day deadline to give feedback.

As per Article 40(7) GDPR, the principal authority must then submit the draft code, amendment or extension, along with any responses from concerned supervisory authorities, to the EDPB.

Opinion by the European Data Protection Board.[edit | edit source]

The EDPB will then generate an opinion as to whether the code of conduct complies with the Regulation, as per Article 40(7). According to the terminology of Articles 40(7) and 40(8), the EDPB’s opinion should identify whether the draft code provides “appropriate safeguards”. This opinion shall follow the Rules of Procedure of the Board, as well as Article 64 GDPR.[46] 

After confirming that the code of conduct provides “appropriate safeguards”, there is an obligation[47] imposed on the EDPB to “submit its opinion to the Commission” (Article 40(8)).

“General validity” granted by the European Commission.[edit | edit source]

After receiving the opinion of the EDPB, the European Commission will be the one to determine, “by way of implementing acts”, whether to grant the code of conduct “general validity within the Union” as per Article 40(9). The Article specifies that the “implementing acts” referred to must be adopted in line with the examination procedure under Article 93(2) GDPR.

Publication of approved codes and codes with general validity.[edit | edit source]

Article 40 provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes).

Publication by the supervisory authority.[edit | edit source]

The competent supervisory authority that has approved the national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval.

Publication of a code with general validity.[edit | edit source]

According to Article 40(10), the Commission has responsibility over “appropriate publicity” that should be given to a transnational code of conduct which has been granted “general validity”.

It is uncertain whether the relevant supervisory authorities will have to publicise the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as according to Article 40(6).

Register of codes of conduct.[edit | edit source]

Article 40(11) GDPR stipulates that the European Data Protection Board shall keep a register on “all approved codes of conduct, amendments and extensions” which is freely accessible and available to all “by way of appropriate means”.

The wording Article 40(11) only specifically refers to “approved codes” without mentioning those with “general validity”. This could lead to some ambiguity as to the scope of Article 40(11).[48] Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5) and (6) GDPR, as well as codes granted “general validity” by the European Commission as per Articles 40(7), (8), (9) and (10). The reason behind the assumption that Article 4(11) covers both types of codes of conduct is that it would not be logical for the EDPB to have to register codes of conduct approved by competent supervisory authorities throughout the European Union, but not those subject to their opinion before submitting them to the European Commission for “general validity”. Additionally, the wording or Article 40(11) refers to “all approved codes of conducts”, which most likely includes the “[Commission] approved codes” referred to in Article 40(10). The EDPB supports this.[49]

The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands and one by Autocontrol (Asociación para la Autorregulación de la Comunicación Comercial) in Spain.[50] However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such codes of conduct approved by the Austrian or Italian DPAs.[51]


[1] Alain Bensoussan, Reglement europeen sur la protection des donnees (2nd edn, Bruylant 2017) 290.

[2] EDPB, “Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679”, adopted on 4 June 2019 after public consultation, rev.02, 8.

[3] Articles 40 and 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.

[4] EDPB (n1) 5.

[5] Article 40(1).

[6] Article 40(2).

[7] EDPB (n1) 7.

[8] Ibid 9.

[9] There were only two codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (22/12/2020). See here: https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en.

[10] Article 40(2) uses the phrases “such as with regard to” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article. See EDPB (n1) 7.

[11] Article 40(2) uses the word “or” between subparagraph (j) and (k).

[12]shall”.

[13] EDPB (n1) 7.

[14] The EDPB agrees with this reading. See ibid 6.

[15] Ibid 7.

[16] The EDPB even provides a non-exhaustive list of possible “code owners” including “trade and representative associations, sectoral organisations, academic organisations and interest groups”. See ibid 11.

[17] The details of Articles 40(5) and 40(9) are discussed below.

[18] See Article 46(2)(e) GDPR.

[19] EDPB (n1) 10.

[20] On the 22 December 2020, when this commentary was written. See here: https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en.

[21] EDPB (n1) 17.

[22] As per Article 55.

[23] EDPB (n1) 28.

[24] Ibid 17.

[25] Ibid 11.

[26] Ibid 11-12.

[27] Ibid 12.

[28] Ibid 12.

[29] See Article 41 for further information on monitoring bodies and the mechanisms.

[30] EDPB (n1) 12.

[31] Ibid 13.

[32] Ibid 13.

[33] Ibid 13.

[34] Ibid 14.

[35] Ibid 29.

[36] Ibid 28.

[37] Ibid 14.

[38] Ibid 15-16.

[39] For example, regular audits, reporting requirements, complaint handling and dispute resolution mechanisms as well as potential sanctions for failing to comply with the code of conduct.

[40] EDPB (n1) 16-17.

[41] Unless a specific time for approving a code of conduct is provided for in national law.

[42] EDPB (n1) 18.

[43] Details concerning the competency of the data protection authority outlined in 4.2.1 apply to transnational codes.

[44] EDPB (n1) 18.

[45] Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined in 4.2.3.

[46] EDPB (n1) 20.

[47]shall”.

[48] See Article 40(3) which refers to both types of codes distinctly: “codes of conduct approved pursuant to paragraph 5 of this Article and [codes of conduct] having general validity pursuant to paragraph 9 of this Article...

[49] EDPB (n1) 20.

[50] On the 22 December 2020, when this commentary was written. See here: https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en.

[51] See, for example, Spanish DPA https://lnkd.in/e-jmVgK; Austrian DPA https://lnkd.in/eJaDmcB; Dutch DPA https://lnkd.in/eVpPdfr; Austrian DPA https://lnkd.in/eBgmP5x; Austrian DPA https://lnkd.in/ecTyuP4; Italian DPA https://lnkd.in/eJwSkJG.

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 40 GDPR

References[edit | edit source]