Article 40 GDPR: Difference between revisions

From GDPRhub
No edit summary
(7 intermediate revisions by 6 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<br /><center>'''Article 40 - Codes of conduct'''</center><br />
<br /><center>'''Article 40 - Codes of conduct'''</center>


<span id="1">1.  The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.</span>
<span id="1">1.  The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.</span>
Line 232: Line 232:


==Relevant Recitals==
==Relevant Recitals==
<span id="r98">
{{Recital/98 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 98''' </div>
{{Recital/99 GDPR}}
<div class="mw-collapsible-content">
Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.
</div></div>
 
<span id="r99">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 99''' </div>
<div class="mw-collapsible-content">
When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.
</div></div>


==Commentary==
==Commentary==


=== Overview ===
Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance. Article 40 GDPR elaborates upon a pre-existing provision under the Directive 95/46/EC (Data Protection Directive – DPD), specifically Article 27(1). Accordingly, certain codes of conduct have already been elaborated under Article 27 DPD. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (WP29).<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 290 (Bruylant 2017).</ref>
Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance with the Regulation.
 
Article 40 GDPR elaborates upon an already existing provision under the Data Protection [[Directive 95/46/EC]] (Article 27(1) Directive). Accordingly, certain codes of conduct have already been elaborated under [[Article 27 Directive 95/46/EC]]. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (hereafter, “WP29”).[[Article 40 GDPR#%20ftn1|[1]]]According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), Article 40 GDPR provides more “''specific and detailed provisions''” concerning the requirements and procedural aspects for drafting codes than the Directive.[[Article 40 GDPR#%20ftn2|[2]]]
 
The aim of Articles 40, 41 GDPR[[Article 40 GDPR#%20ftn3|[3]]] is to ensure a “''practical, potentially cost effective and meaningful method to achieve greater levels of consistency''” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[[Article 40 GDPR#%20ftn4|[4]]]


=== Drawing up Codes of Conduct ===
According to the European Data Protection Board (EDPB) Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (EDPB Guidelines), Article 40 GDPR provides more “''specific and detailed provisions''” concerning the requirements and procedural aspects for drafting codes than the DPD. The aim of Articles 40 and 41 GDPR[Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.] is to ensure a “''practical, potentially cost effective and meaningful method to achieve greater levels of consistency''” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref><blockquote><u>EDPB Guidelines</u>: For this Article, in particular sections 40(2)(j) and 40(3), please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042021-codes-conduct-tools-transfers_de Guidelines 04/2021 on Codes of Conduct as tools for transfers]</blockquote>
It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up and who is targeted by these voluntary documents.


==== Rationale for Codes of Conduct ====
==== Drawing up Codes of Conduct ====
According to Article 40 GDPR, the purpose of a code of conducts is to “''[contribute] to the proper application''”[[Article 40 GDPR#%20ftn5|[5]]], as well as “''[specify] the application''”[[Article 40 GDPR#%20ftn6|[6]]] of the Regulation. Additionally, they may be developed to “''calibrate the obligations of controllers and processors''” according to Recital 98 GDPR. As such, codes are intended to be an additional accountability tool which acts as a “''rulebook for controllers and processors''” that fall within the scope of the GDPR (and in certain cases, see  below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligation under the GDPR.[[Article 40 GDPR#%20ftn7|[7]]]
It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up, and who is targeted by these voluntary documents. According to Article 40 GDPR, the purpose of a code of conducts is to “[contribute] ''to the proper application''”, as well as “[specify] ''the application''” of the GDPR. Additionally, they may be developed to “''calibrate the obligations of controllers and processors''” according to Recital 98 GDPR. As such, codes are intended to be an additional accountability tool which acts as a “''rulebook for controllers and processors''” that fall within the scope of the GDPR (and in certain cases, see below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligations under the GDPR.


Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection supervisory authorities from controllers and processors seeking advice  about the legality of their processing activities under the Regulation.[[Article 40 GDPR#%20ftn8|[8]]] This is, in theory, a strong argument in favour of developing codes of conduct and the corresponding monitoring bodies (as discussed in the commentary on Article 41). However, not many associations or other bodies have made use of this possibility under the GDPR.[[Article 40 GDPR#%20ftn9|[9]]] As such, data controllers and processors remain reliant on supervisory authorities for guidance on compliance with the GDPR. Unfortunately, guidance from these authorities will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.
Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection authorities (DPAs) by controllers and processors seeking advice about the legality of their processing activities under the GDPR.This is, in theory, a strong argument in favour of developing codes of conduct and their corresponding monitoring bodies (as discussed in this commentary on [[Article 41 GDPR]]). However, not many associations or other bodies have made use of this possibility under the GDPR.<ref>There were only three codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (17/03/2022, see [https://edpb.europa.eu/search_en?search=code%20of%20conduct&f%5B0%5D=content_type%3Aedpb_code_of_conduct here]).</ref> As such, data controllers and processors remain reliant on DPAs for guidance on compliance,.which unfortunately will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.  


==== Content of the Codes of Conduct ====
==== Content of the Codes of Conduct ====
Article 40(1) GDPR clarifies that codes of conduct must be tailored to “''specific features''” of a sector, as well as the “''specific needs of micro, small and medium-sized enterprises''”. Recital 98 GDPR and 99 GDPR provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “''risk likely to result from the [relevant] processing for the rights and freedoms of natural persons''”. According to the latter recital, the drafter “''should consult relevant stakeholders, including data subjects”'' in order to develop these codes. They should also duly consider the “''submissions received and views expressed in response to such consultations''”.
Article 40(1) GDPR clarifies that codes of conduct must be tailored to “''specific features''” of a sector, as well as the “''specific needs of micro, small and medium-sized enterprises''”. Recital 98 and 99 GDPR provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “''risk likely to result from the [relevant] processing for the rights and freedoms of natural persons''”. According to the latter recital, the drafter “''should consult relevant stakeholders, including data subjects”'' in order to develop these codes. They should also duly consider the “''submissions received and views expressed in response to such consultations''”.


Article 40(2) GDPR provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive[[Article 40 GDPR#%20ftn10|[10]]] and are not necessarily cumulative.[[Article 40 GDPR#%20ftn11|[11]]] The Article provides the following examples of topics for the codes:  
Article 40(2) GDPR provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive<ref>Article 40(2) uses the phrases “''such as with regard to''” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article; see EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 7 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref> and that these elements are not necessarily cumulative.<ref>Article 40(2) GDPR uses the word “or” between subparagraph (j) and (k).</ref> The Article provides the following examples of topics for the codes: fairness and transparency in processing; controllers’ legitimate interests in particular contexts; collection of personal data; pseudonymisation; information to be provided to the public and to data subjects; data subjects’ rights and their exercise; processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent); technical and organisational measures and the obligations to guarantee privacy by design and by default; notification and communication of data breaches to the competent supervisory authority and to affected data subjects; data transfers to third countries or international organisations; or dispute resolution procedures.


-      fairness and transparency in processing;
Finally, Article 40(4) GDPR outlines that a code of conduct must necessarily contain information on how a monitoring body (provided for in [[Article 41 GDPR]]) can ensure compliance with it.<ref>Consider the wording: “shall”.</ref> It is important to note that such monitoring by these bodies should be carried out “''without prejudice to the tasks and powers of supervisory authorities''”.
 
-      controllers’ legitimate interests in particular contexts;
 
-      collection of personal data;
 
-      pseudonymisation;
 
-      information to be provided to the public and to data subjects;
 
-      data subjects’ rights and their exercise;
 
-      processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent);
 
-      technical and organisational measures and the obligations to guarantee privacy by design and by default;
 
-      notification and communication of data breaches to the competent supervisory authority and to affected data subjects;
 
-      data transfers to third countries or international organisations; or
 
-      dispute resolution procedures.
 
Finally, Article 40(4) GDPR outlines that a code of conduct must necessarily[[Article 40 GDPR#%20ftn12|[12]]] contain information on how a monitoring body (provided for in Article 41 GDPR) can ensure compliance with the code of conduct. It is important to note that such monitoring should not (or will not) “''prejudice to the tasks and powers of supervisory authorities''”.


==== Shall encourage ====
==== Shall encourage ====
Codes of conduct themselves not obligatory. Article 40(1) GDPR provides that Member States, supervisory authorities, the EDPB and the Commission shall “''encourage''” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) GDPR provides that relevant actors “''may''” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading.[[Article 40 GDPR#%20ftn13|[13]]] However, through a detailed reading of Article 40(1) GDPR, there is a clear obligation imposed on Member States, Supervisory Authorities, the EDBP and the European Commission to encourage their draw up. Indeed the wording of Article 40(1) is that they “'''''shall''''' ''encourage''” (emphasis added).[[Article 40 GDPR#%20ftn14|[14]]]  
Codes of conduct themselves are not obligatory. Article 40(1) GDPR provides that Member States, DPAs, the EDPB and the European Commission (EC) shall “''encourage''” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) GDPR provides that relevant actors “''may''” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading. However, through a detailed reading of Article 40(1) GDPR, there is a clear obligation imposed on Member States, DPAs, the EDBP and the EC to encourage their draw up. Indeed, the wording of Article 40(1) establishes that they “''shall'' ''encourage''” this (emphasis added).<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 6-7 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>


==== Associations and other Bodies ====
==== Associations and other Bodies ====
According to Article 40(2) GDPR, codes of conduct are to be drafted by trade associations and other bodies “''representing categories of controllers or processors''”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “''code owners''”.[[Article 40 GDPR#%20ftn15|[15]]]
According to Article 40(2) GDPR, codes of conduct are to be drafted by trade associations and other bodies “''representing categories of controllers or processors''”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “''code owners''”. There is some ambiguity in the wording of this GDPR provision. Article 40(1) GDPR outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) GDPR makes direct reference to “''associations and other bodies''”. Therefore, it could be interpreted that a controller or processor can take up the task of drafting a code. However, Recital 98 GDPR makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1) GDPR). Similarly, Article 40(5) GDPR only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.<ref>The EDPB even provides a non-exhaustive list of possible “''code owners''” including “''trade and representative associations, sectoral organisations, academic organisations and interest groups''”; see EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 11 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>
 
There is some ambiguity in the wording of this GDPR provision. Article 40(1) GDPR outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) GDPR makes direct reference to “''associations and other bodies''”. Therefore, it could be suggested that controller or processor can take up the task of drafting a code. However, Recital 98 GDPR makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1) GDPR). Similarly, Article 40(5) GDPR only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.[[Article 40 GDPR#%20ftn16|[16]]]  


==== Target Audience for Codes of Conduct ====
==== Target Audience for Codes of Conduct ====
Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories of controllers and processors are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear as Article 40(1) GDPR specifies that the codes should take into account “''the specific features of the various processing sectors''”. '' ''
Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear from the wording of Article 40(1) GDPR, which specifies that the codes should take into account “''the specific features of the various processing sectors''”.  However, Article 40(3) GDPR provides that certain codes of conduct can be followed by controllers and processors of personal data that are not subject to the GDPR. Such codes must not only be approved by the competent DPAas per Article 40(5) GDPR,  but must also have gained general validity from the EC pursuant to Article 40(9) GDPR. The third country controllers and processors should also make “''binding and enforceable commitments''” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[See [[Article 46 GDPR|Article 46(2)(e) GDPR]].] The hope is that international codes will lead to the “''promotion and cultivation of the level of protection which the GDPR provides to the wider international community''”.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 10 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>
 
However, Article 40(3) GDPR provides that certain codes of conduct can be followed by controllers and processors of personal data that are '''not''' subject to the Regulation. Such codes must be approved by the competent data protection supervisory authority as per Article 40(5) GDPR and have gained general validity from the European Commission pursuant Article 40(9) GDPR.[[Article 40 GDPR#%20ftn17|[17]]] The third country controllers and processors must also make “''binding and enforceable commitments''” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[[Article 40 GDPR#%20ftn18|[18]]] The hope is similarly that international codes will lead to the “''promotion and cultivation of the level of protection which the GDPR provides to the wider international community''”.[[Article 40 GDPR#%20ftn19|[19]]] However, the reality of this is quite different: no such codes of conduct have been adopted yet.[[Article 40 GDPR#%20ftn20|[20]]]
 
=== Approval of Codes of Conduct ===
Article 40(5) GDPR outlines that associations and other bodies which “''intend to prepare a code of conduct or to amend or extend an existing [one]''” must submit their draft to the competent supervisory authority. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent authority should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.[[Article 40 GDPR#%20ftn21|[21]]] The supervisory authority will then approve the code, amendment or extension where it “''provides sufficient appropriate safeguards''”.


Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.
==== Approval of Codes of Conduct ====
Article 40(5) GDPR outlines that associations and other bodies which “''intend to prepare a code of conduct or to amend or extend an existing [one]''” must submit their draft to the competent DPA. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent DPA should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.The DPA will then approve the code, amendment or extension when it “''provides sufficient appropriate safeguards''”. Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 17 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>


==== Competent Authority ====
==== Competent Authority ====
Although Article 40(5) GDPR mentions that the competent supervisory authority will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explains how code owners may identify the competent authority in its Annex 2. This document provides factors that can be considered such as:
Although Article 40(5) GDPR mentions that the competent DPA will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explain how code owners may identify the competent DPA in its Annex 2. This document provides factors that can be considered such as: the Member State where most of the processing activity takes place, or where the processing sector is predominant; the Member State where data subjects are most affected; the Member State where the drafting association or other body has its headquarters; the Member State where the monitoring body will have its headquarters; or the Member State where a DPA has developed initiatives in the code of conduct’s specific field.<ref>As per [https://gdprhub.eu/Article%2055%20GDPR Article 55 GDPR].</ref>
 
-      the Member State where there is most of the processing activity or sector;
 
-      the Member State where data subjects are most affected;
 
-      the Member State where the drafting association or other body has its headquarters;
 
-      the Member State where the monitoring body will have its headquarters; or
 
-      the Member State where a supervisory authority has developed initiatives in the specific field of the code of conduct.[[Article 40 GDPR#%20ftn22|[22]]]


==== Conditions for Admissibility of a Draft Code ====
==== Conditions for Admissibility of a Draft Code ====
The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent supervisory authority for approval.[[Article 40 GDPR#%20ftn23|[23]]] The content of draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.[[Article 40 GDPR#%20ftn24|[24]]]
The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent DPA for approval. The content of the draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 17 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>
 
===== Explanatory Statement and Supporting Documentation =====
The first step for admissibility of a draft code of conduct is to have a “''clear and concise explanatory statement''”. This will include an explanation of:
 
-      the purpose of the code;
 
-      the scope of the code; and
 
-      the way in which it will foster compliance with the GDPR.
 
Supporting documentation will also provide additional clarity.[[Article 40 GDPR#%20ftn25|[25]]]  
 
===== Representing Association or other Bodies =====
The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2) GDPR).


The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “''associations and other bodies''” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.[[Article 40 GDPR#%20ftn26|[26]]]
The first step for admissibility of a draft code of conduct is to have a “''clear and concise explanatory statement''”. This will include an explanation of: the purpose of the code; the scope of the code; and the way in which it will foster compliance with the GDPR. Supporting documentation will also provide additional clarity.


===== Processing Scope =====
The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2) GDPR). The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “''associations and other bodies''” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.
The scope of application of the code must be sufficiently precise. This includes information on the type of processing performed and the controllers and processors targeted by the code of conduct.[[Article 40 GDPR#%20ftn27|[27]]]


===== Territorial Scope =====
The scope of application of the code must be sufficiently precise. This includes information on the type of processing performed, and the controllers and processors targeted by it. The drafters must clarify whether the code applies to processing within one or several Member States. This will then facilitate the determination of whether further steps must be taken (eg. general validity from the Commission, as elaborated upon in Article 40(9) GDPR).
The drafters must clarify whether the code applies to processing within one Member State or several Member States. This will then facilitate the determination of whether further steps must be taken (i.e. general validity from the Commission, as elaborated upon in 4.3.).[[Article 40 GDPR#%20ftn28|[28]]]


===== Competent Authority =====
The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms that this body will apply to ensure compliance with it. The code drafters must consult relevant stakeholders such as data subjects, as well as controllers and processors, before the draft is considered admissible. This aspect is established in Recital 99 GDPR.  
The code drafter must show the authority that they are competent. The competency of an authority it outlined above.


===== Oversight of Mechanisms and Monitoring Body =====
If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code involves a sector which is specifically regulated by national law, or the processing at stake is subject to specific assessment requirements under national law.  
The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms[[Article 40 GDPR#%20ftn29|[29]]] that this body will apply to ensure compliance with the code of conduct.[[Article 40 GDPR#%20ftn30|[30]]]


===== Consultation =====
The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent DPA’s language. The code owner must ensure that they fulfil all the above conditions before submitting the code of conduct for approval. Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent DPA.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 11-14 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>
The code drafters must consult relevant stakeholders such as data subjects and controllers and processors before the draft is considered admissible.[[Article 40 GDPR#%20ftn31|[31]]] This aspect is detailed above.
 
===== National legislation =====
If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code affects national laws or the processing at stake is subject to a national law.[[Article 40 GDPR#%20ftn32|[32]]]
 
===== Language =====
The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent authority’s language.[[Article 40 GDPR#%20ftn33|[33]]]
 
===== Checklist =====
The code owner must ensure that they fulfill all the above conditions before submitting the code of conduct for approval.[[Article 40 GDPR#%20ftn34|[34]]] Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent supervisory authority.[[Article 40 GDPR#%20ftn35|[35]]]


==== Criteria for getting Approval ====
==== Criteria for getting Approval ====
The EDPB Guidelines also provide a series of criteria that must be fullfiled by code owners in order to gain formal approval for their code, amendment or extension from the competent authority.[[Article 40 GDPR#%20ftn36|[36]]]  The following sections reflect the minimum cumulative requirements for approval.
The EDPB Guidelines also provide a series of criteria that must be fulfilled by code owners in order to gain formal approval for their code, amendment or extension from the competent DPA. The following sections reflect the minimum cumulative requirements for approval.  


Firstly, the code must address a specific need or a data protection issue that is common in a sector or in relation to a processing activity by a category of controllers or processors. The code owners must also demonstrate that it understands the problem and clearly show how the code proposes to resolve them in an “''effective and beneficial''” way for their members and data subjects. Without this, the code cannot get approval from the competent authority.[[Article 40 GDPR#%20ftn37|[37]]]
Firstly, the code must address a specific need or a data protection issue that is common in a sector, or in relation to a processing activity by a category of controllers or processors. The code owner must also demonstrate that it understands relevant processing issues, and clearly show how the code proposes to resolve them in an “''effective and beneficial''” way for their members and for data subjects. Without this, the code cannot get approval from the competent authority.


A key criterion for getting a code of conduct approved is described in Recital 98 GDPR: the code owner must ensure that the code “''facilitate[s] the effective application of this Regulation''” in the sector or processing activity it seeks to address.
A key criterion for getting a code of conduct approved is described in Recital 98 GDPR: the code owner must ensure that the code “''facilitate[s] the effective application of this Regulation''” in the sector or processing activity it seeks to address. According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively): clear improvements to ensure the targeted sector complies with the GDPR; realistic and attainable standards for the controllers and processors targeted; detailed information on data protection areas, such as those outlined in Article 40(2) GDPR; sufficiently clear and effective solutions to concerns over processing in this sector; an “''operational meaning''” of the Article 5 GDPR principles; and clarifications on any EDPD opinions or guidance for the specific sector.  


According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively):
The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the GDPR by providing information on how it “''shall apply in a specific, practical and precise manner''” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “''legalistic''”, and by giving examples of good practices.


-      clear improvements to ensure the targeted sector complies with the Regulation;
As outlined in Article 40(5) GDPR, the code of conduct must provide sufficient appropriate safeguards, “''taking into account the risk likely to result from the processing for the rights and freedoms of natural persons''” (Recital 98 GDPR). An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “''clear, suitable, attainable, efficient and enforceable (testable)''”, according to the Guidelines.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 15-17 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>


-      realistic and attainable standards for the controllers and processors targeted;
==== Approval from the Competent DPA ====
Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent DPA can approve the draft code, amendment or extension pursuant to Article 40(5) GDPR. The EDPB Guidelines suggest that the DPA should do so within a “''reasonable period of time''”[Unless a specific time for approving a code of conduct is provided for in national law.] and update the code owners throughout the approval process. The DPA should motivate its approval in line with the prerequisite criteria for admissibility and approval, and in cases when it does not approve a code, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they wish to do so.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 18 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref> Codes of conduct relating to processing activities in several Member States are transnational codes, which must be granted “''general validity''” (Articles 40(7) GDPR to 40(10) GDPR).


-      detailed information on data protection areas, such as those outlined in Article 40(2 ) GDPR;
==== Role of the DPAs and the EDPB ====
The competent DPA[Details concerning the competency of the data protection authority outlined apply to transnational codes.] with which the code owner has submitted the draft code, must determine whether this code fulfils the admissibility criteria mentioned above before proceeding. After this initial step, the authority will then notify other DPAs about the transnational code of conduct, pursuant to Article 40(7) GDPR. These DPAs will then confirm whether they are “''supervisory authorities concerned''” (see Article 4(22)(a)(b) GDPR). Finally, the competent DPA will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the main DPA intends to approve<ref>Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined.</ref> to the other concerned supervisory DPAs, which will have a 30 day time frame to give their feedback on it. As per Article 40(7) GDPR, the main DPA must then submit the draft code, amendment or extension, along with any responses from concerned DPAs, to the EDPB.


-      sufficiently clear and effective solutions to concerns over processing in this sector;
The EDPB will then generate an opinion as to whether the code of conduct complies with the GDPR, as per Article 40(7) GDPR. According to the terminology of Articles 40(7) and 40(8) GDPR, the EDPB’s opinion should identify whether the draft code provides “''appropriate safeguards''”. This opinion shall follow the Rules of Procedure of the EDPB, as well as Article 64 GDPR. After confirming that the code of conduct provides “''appropriate safeguards''”, there is an obligation[Wording: "shall".] imposed on the EDPB to “''submit its opinion to the Commission''” (Article 40(8) GDPR). After receiving the EDPB’s opinion, the EC will be the one to determine, “''by way of implementing acts''”, whether to grant the code of conduct “''general validity within the Union''” as per Article 40(9) GDPR. This provision specifies that the aforementioned “''implementing acts''” must be adopted in line with the examination procedure under Article 93(2) GDPR.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 20 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref>


-      an “''operational meaning''” of the Article 5 GDPR principles; and
==== Publication of Approved Codes and Codes with General Validity ====
 
Article 40 GDPR provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes). The competent DPA that has approved a national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval. According to Article 40(10) GDPR, the EC is responsible for the “''appropriate publicity''” that should be given to a transnational code of conduct which has been granted “''general validity''”. It is uncertain whether the relevant DPAs will have to publish the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as they must do with national codes according to Article 40(6) GDPR.  
-      clarifications on any EDPD opinions or guidance for the specific sector.
 
The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the Regulation by providing information on how it “''shall apply in a specific, practical and precise manner''” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “''legalistic''” and by giving examples of good practice.[[Article 40 GDPR#%20ftn38|[38]]]
 
As outlined in Article 40(5) GDPR, the code of conduct must provide sufficient appropriate safeguards, “''taking into account the risk likely to result from the processing for the rights and freedoms of natural persons''” (Recital 98 GDPR).
 
An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures[[Article 40 GDPR#%20ftn39|[39]]] for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “''clear, suitable, attainable, efficient and enforceable (testable)''” according to the Guidelines.[[Article 40 GDPR#%20ftn40|[40]]]
 
==== Approval from the Competent Supervisory Authority ====
Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent supervisory can approve the draft code, amendment or extension pursuant to Article 40(5) GDPR. The EDPB Guidelines suggest that the authority should do so within a “''reasonable period of time''”[[Article 40 GDPR#%20ftn41|[41]]] and update the code owners throughout the approval process.
 
The authority should justify its approval in line with the prerequisite criteria for admissibility and approval. Should the supervisory authority refuse to approve the code of conduct, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they want.[[Article 40 GDPR#%20ftn42|[42]]]  
 
=== General Validity of Codes of Conduct for Cross-Border Processing Activities ===
Codes relating to processing activities in several Member States are transnational codes which must be granted “''general validity''” (Articles 40(7) GDPR to 40(10) GDPR).
 
==== Role of the Supervisory Authorities ====
The competent authority[[Article 40 GDPR#%20ftn43|[43]]] with which the code owner has submitted the draft code must determine whether this code fulfils the admissibility criteria mentioned above before proceeding.[[Article 40 GDPR#%20ftn44|[44]]]
 
After this initial step, the authority will then notify other supervisory authorities about the transnational code of conduct pursuant to Article 40(7) GDPR. These authorities will then confirm whether they are “''concerned supervisory authorities''” (see Article 4(22)(a)(b) GDPR). Finally, the competent authority will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the principal authority intends to approve[[Article 40 GDPR#%20ftn45|[45]]] to the other concerned supervisory authorities with a 30 day deadline to give feedback.
 
As per Article 40(7) GDPR, the principal authority must then submit the draft code, amendment or extension, along with any responses from concerned supervisory authorities, to the EDPB.
 
==== Opinion by the European Data Protection Board ====
The EDPB will then generate an opinion as to whether the code of conduct complies with the Regulation, as per Article 40(7) GDPR. According to the terminology of Articles 40(7) GDPR and 40(8) GDPR, the EDPB’s opinion should identify whether the draft code provides “''appropriate safeguards''”. This opinion shall follow the Rules of Procedure of the Board, as well as Article 64 GDPR.[[Article 40 GDPR#%20ftn46|[46]]] 
 
After confirming that the code of conduct provides “''appropriate safeguards''”, there is an obligation[[Article 40 GDPR#%20ftn47|[47]]] imposed on the EDPB to “''submit its opinion to the Commission''” (Article 40(8) GDPR).
 
==== “General Validity” Granted by the European Commission ====
After receiving the opinion of the EDPB, the European Commission will be the one to determine, “''by way of implementing acts''”, whether to grant the code of conduct “''general validity within the Union''” as per Article 40(9) GDPR. The Article specifies that the “''implementing acts''” referred to must be adopted in line with the examination procedure under Article 93(2) GDPR.
 
=== Publication of Approved Codes and Codes with General Validity ===
Article 40 GDPR provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes).
 
==== Publication by the Supervisory Authority ====
The competent supervisory authority that has approved the national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval.
 
==== Publication of a Code with General Validity ====
According to Article 40(10) GDPR, the Commission has responsibility over “''appropriate publicity''” that should be given to a transnational code of conduct which has been granted “''general validity''”.  
 
It is uncertain whether the relevant supervisory authorities will have to publicise the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as according to Article 40(6) GDPR.


==== Register of Codes of Conduct ====
==== Register of Codes of Conduct ====
Article 40(11) GDPR stipulates that the European Data Protection Board shall keep a register on “''all approved codes of conduct, amendments and extensions''” which is freely accessible and available to all “''by way of appropriate means''”.  
Article 40(11) GDPR stipulates that the EDPB shall keep a register on “''all approved codes of conduct, amendments and extensions''” which is freely accessible and available to all “''by way of appropriate means''”. The wording in Article 40(11) GDPR only specifically refers to “''approved codes''” without mentioning those with “''general validity''”. This could lead to some ambiguity as to the scope of this provision.<ref>See Article 40(3) GDPR which refers to both types of codes distinctly: “codes of conduct approved pursuant to paragraph 5 of this Article and [codes of conduct] having general validity pursuant to paragraph 9 of this Article”.</ref> Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5) and (6) GDPR, as well as codes granted “''general validity''” by the EC as per Articles 40(7), (8), (9) and (10) GDPR. The reason behind this presumption is that it would not be logical for the EDPB to have to register codes of conduct approved by competent DPAs throughout the European Union, but not those subject to their opinion before submitting them to the EC for “general validity”. Additionally, the wording or Article 40(11) GDPR refers to “''all approved codes of conducts''”, which most likely includes the “''[Commission] approved codes''” referred to in Article 40(10) GDPR. The EDPB supports this view.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 20 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]).</ref> The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands, and one by Autocontrol (''Asociación para la Autorregulación de la Comunicación Comercial'') in Spain. However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such as the codes of conduct approved by the Austrian, Dutch, or Italian DPAs.<ref>See, for example the Spanish DPA ([https://lnkd.in/e-jmVgK here]); Dutch DPA ([https://lnkd.in/eVpPdfr here]); Italian DPA (see [https://lnkd.in/eJwSkJG here]) and the Austrian DPA ([https://lnkd.in/eJaDmcB here], [https://lnkd.in/eBgmP5x here] and [https://lnkd.in/ecTyuP4 here]).</ref>
 
The wording Article 40(11) GDPR only specifically refers to “''approved codes''” without mentioning those with “''general validity''”. This could lead to some ambiguity as to the scope of Article 40(11) GDPR.[[Article 40 GDPR#%20ftn48|[48]]] Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5)(6) GDPR, as well as codes granted “''general validity''” by the European Commission as per Articles 40(7), (8), (9) and (10). The reason behind the assumption that Article 4(11) covers both types of codes of conduct is that it would not be logical for the EDPB to have to register codes of conduct approved by competent supervisory authorities throughout the European Union, but not those subject to their opinion before submitting them to the European Commission for “general validity”. Additionally, the wording or Article 40(11) GDPR refers to “''all approved codes of conducts''”, which most likely includes the “''[Commission] approved codes''” referred to in Article 40(10) GDPR. The EDPB supports this.[[Article 40 GDPR#%20ftn49|[49]]]
 
The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands and one by Autocontrol (''Asociación para la Autorregulación de la Comunicación Comercial'') in Spain.[[Article 40 GDPR#%20ftn50|[50]]] However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such codes of conduct approved by the Austrian or Italian DPAs.[[Article 40 GDPR#%20ftn51|[51]]]
----[[Article 40 GDPR#%20ftnref1|[1]]] Alain Bensoussan, ''Reglement europeen sur la protection des donnees'' (2<sup>nd</sup> edn, Bruylant 2017) 290.
 
[[Article 40 GDPR#%20ftnref2|[2]]] EDPB, “Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679”, adopted on 4 June 2019 after public consultation, rev.02, 8.
 
[[Article 40 GDPR#%20ftnref3|[3]]] Articles 40 and 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.
 
[[Article 40 GDPR#%20ftnref4|[4]]] EDPB (n1) 5.
 
[[Article 40 GDPR#%20ftnref5|[5]]] Article 40(1).
 
[[Article 40 GDPR#%20ftnref6|[6]]] Article 40(2).
 
[[Article 40 GDPR#%20ftnref7|[7]]] EDPB (n1) 7.
 
[[Article 40 GDPR#%20ftnref8|[8]]] Ibid 9.
 
[[Article 40 GDPR#%20ftnref9|[9]]] There were only two codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (22/12/2020). See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 
[[Article 40 GDPR#%20ftnref10|[10]]] Article 40(2) uses the phrases “''such as with regard to''” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article. See EDPB (n1) 7.
 
[[Article 40 GDPR#%20ftnref11|[11]]] Article 40(2) uses the word “or” between subparagraph (j) and (k).
 
[[Article 40 GDPR#%20ftnref12|[12]]] “''shall''”.
 
[[Article 40 GDPR#%20ftnref13|[13]]] EDPB (n1) 7.
 
[[Article 40 GDPR#%20ftnref14|[14]]] The EDPB agrees with this reading. See ibid 6.
 
[[Article 40 GDPR#%20ftnref15|[15]]] Ibid 7.
 
[[Article 40 GDPR#%20ftnref16|[16]]] The EDPB even provides a non-exhaustive list of possible “''code owners''” including “''trade and representative associations, sectoral organisations, academic organisations and interest groups''”. See ibid 11.
 
[[Article 40 GDPR#%20ftnref17|[17]]] The details of Articles 40(5) and 40(9) are discussed below.
 
[[Article 40 GDPR#%20ftnref18|[18]]] See Article 46(2)(e) GDPR.
 
[[Article 40 GDPR#%20ftnref19|[19]]] EDPB (n1) 10.
 
[[Article 40 GDPR#%20ftnref20|[20]]] On the 22 December 2020, when this commentary was written. See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 
[[Article 40 GDPR#%20ftnref21|[21]]] EDPB (n1) 17.
 
[[Article 40 GDPR#%20ftnref22|[22]]] As per Article 55.
 
[[Article 40 GDPR#%20ftnref23|[23]]] EDPB (n1) 28.
 
[[Article 40 GDPR#%20ftnref24|[24]]] Ibid 17.
 
[[Article 40 GDPR#%20ftnref25|[25]]] Ibid 11.
 
[[Article 40 GDPR#%20ftnref26|[26]]] Ibid 11-12.
 
[[Article 40 GDPR#%20ftnref27|[27]]] Ibid 12.
 
[[Article 40 GDPR#%20ftnref28|[28]]] Ibid 12.
 
[[Article 40 GDPR#%20ftnref29|[29]]] See Article 41 for further information on monitoring bodies and the mechanisms.
 
[[Article 40 GDPR#%20ftnref30|[30]]] EDPB (n1) 12.
 
[[Article 40 GDPR#%20ftnref31|[31]]] Ibid 13.
 
[[Article 40 GDPR#%20ftnref32|[32]]] Ibid 13.
 
[[Article 40 GDPR#%20ftnref33|[33]]] Ibid 13.
 
[[Article 40 GDPR#%20ftnref34|[34]]] Ibid 14.
 
[[Article 40 GDPR#%20ftnref35|[35]]] Ibid 29.
 
[[Article 40 GDPR#%20ftnref36|[36]]] Ibid 28.
 
[[Article 40 GDPR#%20ftnref37|[37]]] Ibid 14.
 
[[Article 40 GDPR#%20ftnref38|[38]]] Ibid 15-16.
 
[[Article 40 GDPR#%20ftnref39|[39]]] For example, regular audits, reporting requirements, complaint handling and dispute resolution mechanisms as well as potential sanctions for failing to comply with the code of conduct.
 
[[Article 40 GDPR#%20ftnref40|[40]]] EDPB (n1) 16-17.
 
[[Article 40 GDPR#%20ftnref41|[41]]] Unless a specific time for approving a code of conduct is provided for in national law.
 
[[Article 40 GDPR#%20ftnref42|[42]]] EDPB (n1) 18.
 
[[Article 40 GDPR#%20ftnref43|[43]]] Details concerning the competency of the data protection authority outlined in 4.2.1 apply to transnational codes.
 
[[Article 40 GDPR#%20ftnref44|[44]]] EDPB (n1) 18.
 
[[Article 40 GDPR#%20ftnref45|[45]]] Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined in 4.2.3.
 
[[Article 40 GDPR#%20ftnref46|[46]]] EDPB (n1) 20.
 
[[Article 40 GDPR#%20ftnref47|[47]]] “''shall''”.
 
[[Article 40 GDPR#%20ftnref48|[48]]] See Article 40(3) which refers to both types of codes distinctly: “'''''codes of conduct approved''''' ''pursuant to paragraph 5 of this Article and '''[codes of conduct] having general validity''' pursuant to paragraph 9 of this Article...''”
 
[[Article 40 GDPR#%20ftnref49|[49]]] EDPB (n1) 20.
 
[[Article 40 GDPR#%20ftnref50|[50]]] On the 22 December 2020, when this commentary was written. See here: <nowiki>https://edpb.europa.eu/our-work-tools/accountability-tools/register-codes-conduct-amendments-and-extensions-art-4011_en</nowiki>.
 
[[Article 40 GDPR#%20ftnref51|[51]]] See, for example, Spanish DPA <nowiki>https://lnkd.in/e-jmVgK</nowiki>; Austrian DPA <nowiki>https://lnkd.in/eJaDmcB</nowiki>; Dutch DPA <nowiki>https://lnkd.in/eVpPdfr</nowiki>; Austrian DPA <nowiki>https://lnkd.in/eBgmP5x</nowiki>; Austrian DPA <nowiki>https://lnkd.in/ecTyuP4</nowiki>; Italian DPA <nowiki>https://lnkd.in/eJwSkJG</nowiki>.


==Decisions==
==Decisions==

Revision as of 16:11, 10 March 2023

Article 40 - Codes of conduct
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 40 - Codes of conduct

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

Relevant Recitals

Recital 98: Codes of Conduct
Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

Recital 99: Consultation of Stakeholders for Codes of Conduct
When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

Commentary

Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance. Article 40 GDPR elaborates upon a pre-existing provision under the Directive 95/46/EC (Data Protection Directive – DPD), specifically Article 27(1). Accordingly, certain codes of conduct have already been elaborated under Article 27 DPD. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (WP29).[1]

According to the European Data Protection Board (EDPB) Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (EDPB Guidelines), Article 40 GDPR provides more “specific and detailed provisions” concerning the requirements and procedural aspects for drafting codes than the DPD. The aim of Articles 40 and 41 GDPR[Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.] is to ensure a “practical, potentially cost effective and meaningful method to achieve greater levels of consistency” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[2]

EDPB Guidelines: For this Article, in particular sections 40(2)(j) and 40(3), please see Guidelines 04/2021 on Codes of Conduct as tools for transfers

Drawing up Codes of Conduct

It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up, and who is targeted by these voluntary documents. According to Article 40 GDPR, the purpose of a code of conducts is to “[contribute] to the proper application”, as well as “[specify] the application” of the GDPR. Additionally, they may be developed to “calibrate the obligations of controllers and processors” according to Recital 98 GDPR. As such, codes are intended to be an additional accountability tool which acts as a “rulebook for controllers and processors” that fall within the scope of the GDPR (and in certain cases, see below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligations under the GDPR.

Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection authorities (DPAs) by controllers and processors seeking advice about the legality of their processing activities under the GDPR.This is, in theory, a strong argument in favour of developing codes of conduct and their corresponding monitoring bodies (as discussed in this commentary on Article 41 GDPR). However, not many associations or other bodies have made use of this possibility under the GDPR.[3] As such, data controllers and processors remain reliant on DPAs for guidance on compliance,.which unfortunately will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.

Content of the Codes of Conduct

Article 40(1) GDPR clarifies that codes of conduct must be tailored to “specific features” of a sector, as well as the “specific needs of micro, small and medium-sized enterprises”. Recital 98 and 99 GDPR provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “risk likely to result from the [relevant] processing for the rights and freedoms of natural persons”. According to the latter recital, the drafter “should consult relevant stakeholders, including data subjects” in order to develop these codes. They should also duly consider the “submissions received and views expressed in response to such consultations”.

Article 40(2) GDPR provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive[4] and that these elements are not necessarily cumulative.[5] The Article provides the following examples of topics for the codes: fairness and transparency in processing; controllers’ legitimate interests in particular contexts; collection of personal data; pseudonymisation; information to be provided to the public and to data subjects; data subjects’ rights and their exercise; processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent); technical and organisational measures and the obligations to guarantee privacy by design and by default; notification and communication of data breaches to the competent supervisory authority and to affected data subjects; data transfers to third countries or international organisations; or dispute resolution procedures.

Finally, Article 40(4) GDPR outlines that a code of conduct must necessarily contain information on how a monitoring body (provided for in Article 41 GDPR) can ensure compliance with it.[6] It is important to note that such monitoring by these bodies should be carried out “without prejudice to the tasks and powers of supervisory authorities”.

Shall encourage

Codes of conduct themselves are not obligatory. Article 40(1) GDPR provides that Member States, DPAs, the EDPB and the European Commission (EC) shall “encourage” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) GDPR provides that relevant actors “may” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading. However, through a detailed reading of Article 40(1) GDPR, there is a clear obligation imposed on Member States, DPAs, the EDBP and the EC to encourage their draw up. Indeed, the wording of Article 40(1) establishes that they “shall encourage” this (emphasis added).[7]

Associations and other Bodies

According to Article 40(2) GDPR, codes of conduct are to be drafted by trade associations and other bodies “representing categories of controllers or processors”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “code owners”. There is some ambiguity in the wording of this GDPR provision. Article 40(1) GDPR outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) GDPR makes direct reference to “associations and other bodies”. Therefore, it could be interpreted that a controller or processor can take up the task of drafting a code. However, Recital 98 GDPR makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1) GDPR). Similarly, Article 40(5) GDPR only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.[8]

Target Audience for Codes of Conduct

Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear from the wording of Article 40(1) GDPR, which specifies that the codes should take into account “the specific features of the various processing sectors”.  However, Article 40(3) GDPR provides that certain codes of conduct can be followed by controllers and processors of personal data that are not subject to the GDPR. Such codes must not only be approved by the competent DPAas per Article 40(5) GDPR,  but must also have gained general validity from the EC pursuant to Article 40(9) GDPR. The third country controllers and processors should also make “binding and enforceable commitments” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[See Article 46(2)(e) GDPR.] The hope is that international codes will lead to the “promotion and cultivation of the level of protection which the GDPR provides to the wider international community”.[9]

Approval of Codes of Conduct

Article 40(5) GDPR outlines that associations and other bodies which “intend to prepare a code of conduct or to amend or extend an existing [one]” must submit their draft to the competent DPA. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent DPA should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.The DPA will then approve the code, amendment or extension when it “provides sufficient appropriate safeguards”. Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.[10]

Competent Authority

Although Article 40(5) GDPR mentions that the competent DPA will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explain how code owners may identify the competent DPA in its Annex 2. This document provides factors that can be considered such as: the Member State where most of the processing activity takes place, or where the processing sector is predominant; the Member State where data subjects are most affected; the Member State where the drafting association or other body has its headquarters; the Member State where the monitoring body will have its headquarters; or the Member State where a DPA has developed initiatives in the code of conduct’s specific field.[11]

Conditions for Admissibility of a Draft Code

The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent DPA for approval. The content of the draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.[12]

The first step for admissibility of a draft code of conduct is to have a “clear and concise explanatory statement”. This will include an explanation of: the purpose of the code; the scope of the code; and the way in which it will foster compliance with the GDPR. Supporting documentation will also provide additional clarity.

The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2) GDPR). The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “associations and other bodies” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.

The scope of application of the code must be sufficiently precise. This includes information on the type of processing performed, and the controllers and processors targeted by it. The drafters must clarify whether the code applies to processing within one or several Member States. This will then facilitate the determination of whether further steps must be taken (eg. general validity from the Commission, as elaborated upon in Article 40(9) GDPR).

The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms that this body will apply to ensure compliance with it. The code drafters must consult relevant stakeholders such as data subjects, as well as controllers and processors, before the draft is considered admissible. This aspect is established in Recital 99 GDPR.

If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code involves a sector which is specifically regulated by national law, or the processing at stake is subject to specific assessment requirements under national law.

The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent DPA’s language. The code owner must ensure that they fulfil all the above conditions before submitting the code of conduct for approval. Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent DPA.[13]

Criteria for getting Approval

The EDPB Guidelines also provide a series of criteria that must be fulfilled by code owners in order to gain formal approval for their code, amendment or extension from the competent DPA. The following sections reflect the minimum cumulative requirements for approval.

Firstly, the code must address a specific need or a data protection issue that is common in a sector, or in relation to a processing activity by a category of controllers or processors. The code owner must also demonstrate that it understands relevant processing issues, and clearly show how the code proposes to resolve them in an “effective and beneficial” way for their members and for data subjects. Without this, the code cannot get approval from the competent authority.

A key criterion for getting a code of conduct approved is described in Recital 98 GDPR: the code owner must ensure that the code “facilitate[s] the effective application of this Regulation” in the sector or processing activity it seeks to address. According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively): clear improvements to ensure the targeted sector complies with the GDPR; realistic and attainable standards for the controllers and processors targeted; detailed information on data protection areas, such as those outlined in Article 40(2) GDPR; sufficiently clear and effective solutions to concerns over processing in this sector; an “operational meaning” of the Article 5 GDPR principles; and clarifications on any EDPD opinions or guidance for the specific sector.

The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the GDPR by providing information on how it “shall apply in a specific, practical and precise manner” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “legalistic”, and by giving examples of good practices.

As outlined in Article 40(5) GDPR, the code of conduct must provide sufficient appropriate safeguards, “taking into account the risk likely to result from the processing for the rights and freedoms of natural persons” (Recital 98 GDPR). An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “clear, suitable, attainable, efficient and enforceable (testable)”, according to the Guidelines.[14]

Approval from the Competent DPA

Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent DPA can approve the draft code, amendment or extension pursuant to Article 40(5) GDPR. The EDPB Guidelines suggest that the DPA should do so within a “reasonable period of time”[Unless a specific time for approving a code of conduct is provided for in national law.] and update the code owners throughout the approval process. The DPA should motivate its approval in line with the prerequisite criteria for admissibility and approval, and in cases when it does not approve a code, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they wish to do so.[15] Codes of conduct relating to processing activities in several Member States are transnational codes, which must be granted “general validity” (Articles 40(7) GDPR to 40(10) GDPR).

Role of the DPAs and the EDPB

The competent DPA[Details concerning the competency of the data protection authority outlined apply to transnational codes.] with which the code owner has submitted the draft code, must determine whether this code fulfils the admissibility criteria mentioned above before proceeding. After this initial step, the authority will then notify other DPAs about the transnational code of conduct, pursuant to Article 40(7) GDPR. These DPAs will then confirm whether they are “supervisory authorities concerned” (see Article 4(22)(a)(b) GDPR). Finally, the competent DPA will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the main DPA intends to approve[16] to the other concerned supervisory DPAs, which will have a 30 day time frame to give their feedback on it. As per Article 40(7) GDPR, the main DPA must then submit the draft code, amendment or extension, along with any responses from concerned DPAs, to the EDPB.

The EDPB will then generate an opinion as to whether the code of conduct complies with the GDPR, as per Article 40(7) GDPR. According to the terminology of Articles 40(7) and 40(8) GDPR, the EDPB’s opinion should identify whether the draft code provides “appropriate safeguards”. This opinion shall follow the Rules of Procedure of the EDPB, as well as Article 64 GDPR. After confirming that the code of conduct provides “appropriate safeguards”, there is an obligation[Wording: "shall".] imposed on the EDPB to “submit its opinion to the Commission” (Article 40(8) GDPR). After receiving the EDPB’s opinion, the EC will be the one to determine, “by way of implementing acts”, whether to grant the code of conduct “general validity within the Union” as per Article 40(9) GDPR. This provision specifies that the aforementioned “implementing acts” must be adopted in line with the examination procedure under Article 93(2) GDPR.[17]

Publication of Approved Codes and Codes with General Validity

Article 40 GDPR provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes). The competent DPA that has approved a national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval. According to Article 40(10) GDPR, the EC is responsible for the “appropriate publicity” that should be given to a transnational code of conduct which has been granted “general validity”. It is uncertain whether the relevant DPAs will have to publish the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as they must do with national codes according to Article 40(6) GDPR.

Register of Codes of Conduct

Article 40(11) GDPR stipulates that the EDPB shall keep a register on “all approved codes of conduct, amendments and extensions” which is freely accessible and available to all “by way of appropriate means”. The wording in Article 40(11) GDPR only specifically refers to “approved codes” without mentioning those with “general validity”. This could lead to some ambiguity as to the scope of this provision.[18] Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5) and (6) GDPR, as well as codes granted “general validity” by the EC as per Articles 40(7), (8), (9) and (10) GDPR. The reason behind this presumption is that it would not be logical for the EDPB to have to register codes of conduct approved by competent DPAs throughout the European Union, but not those subject to their opinion before submitting them to the EC for “general validity”. Additionally, the wording or Article 40(11) GDPR refers to “all approved codes of conducts”, which most likely includes the “[Commission] approved codes” referred to in Article 40(10) GDPR. The EDPB supports this view.[19] The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands, and one by Autocontrol (Asociación para la Autorregulación de la Comunicación Comercial) in Spain. However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such as the codes of conduct approved by the Austrian, Dutch, or Italian DPAs.[20]

Decisions

→ You can find all related decisions in Category:Article 40 GDPR

References

  1. Bensoussan, Reglement europeen sur la protection des donnees, p. 290 (Bruylant 2017).
  2. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 8 (available here).
  3. There were only three codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (17/03/2022, see here).
  4. Article 40(2) uses the phrases “such as with regard to” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article; see EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 7 (available here).
  5. Article 40(2) GDPR uses the word “or” between subparagraph (j) and (k).
  6. Consider the wording: “shall”.
  7. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 6-7 (available here).
  8. The EDPB even provides a non-exhaustive list of possible “code owners” including “trade and representative associations, sectoral organisations, academic organisations and interest groups”; see EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 11 (available here).
  9. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 10 (available here).
  10. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 17 (available here).
  11. As per Article 55 GDPR.
  12. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 17 (available here).
  13. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 11-14 (available here).
  14. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 15-17 (available here).
  15. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 18 (available here).
  16. Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined.
  17. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 20 (available here).
  18. See Article 40(3) GDPR which refers to both types of codes distinctly: “codes of conduct approved pursuant to paragraph 5 of this Article and [codes of conduct] having general validity pursuant to paragraph 9 of this Article”.
  19. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 20 (available here).
  20. See, for example the Spanish DPA (here); Dutch DPA (here); Italian DPA (see here) and the Austrian DPA (here, here and here).