Article 40 GDPR
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
- (a) fair and transparent processing;
- (b) the legitimate interests pursued by controllers in specific contexts;
- (c) the collection of personal data;
- (d) the pseudonymisation of personal data;
- (e) the information provided to the public and to data subjects;
- (f) the exercise of the rights of data subjects;
- (g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
- (h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
- (i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
- (j) the transfer of personal data to third countries or international organisations; or
- (k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
Article 40 GDPR outlines a possibility for actors to elaborate codes of conducts for the effective implementation of the GDPR in specific sectors or for specific processing activities. Codes of conduct are not obligatory but rather potential tools that can be used to promote compliance. Article 40 GDPR elaborates upon a pre-existing provision under the Directive 95/46/EC (Data Protection Directive – DPD), specifically Article 27(1). Accordingly, certain codes of conduct have already been elaborated under Article 27 DPD. These include a code of conduct on use of personal data in direct marketing practices, which was developed by the Federation of European Direct and Interactive Marketing (FEDMA), and a code of conduct on Cloud service providers developed by Cloud Select Industry Group (C-SIG). Both were approved by the Article 29 Working Party (WP29).
According to the European Data Protection Board (EDPB) Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (EDPB Guidelines), Article 40 GDPR provides more “specific and detailed provisions” concerning the requirements and procedural aspects for drafting codes than the DPD. The aim of Articles 40 and 41 GDPR[Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.] is to ensure a “practical, potentially cost effective and meaningful method to achieve greater levels of consistency” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).
Drawing up Codes of Conduct
It is important to clarify what is meant by a code of conduct, what they are for, who can draw them up, and who is targeted by these voluntary documents. According to Article 40 GDPR, the purpose of a code of conducts is to “[contribute] to the proper application”, as well as “[specify] the application” of the GDPR. Additionally, they may be developed to “calibrate the obligations of controllers and processors” according to Recital 98 GDPR. As such, codes are intended to be an additional accountability tool which acts as a “rulebook for controllers and processors” that fall within the scope of the GDPR (and in certain cases, see below, those who fall outside of it). The codes provide measures which data controllers and processors in a specific sector can implement in addition to, or to comply with, their existing legal obligations under the GDPR.
Interestingly, the EDPB suggests that codes can generate a degree of co-regulation amongst controllers and processors within the same processing sector. This in turn, can help alleviate burdens placed on data protection authorities (DPAs) by controllers and processors seeking advice about the legality of their processing activities under the GDPR.This is, in theory, a strong argument in favour of developing codes of conduct and their corresponding monitoring bodies (as discussed in this commentary on Article 41 GDPR). However, not many associations or other bodies have made use of this possibility under the GDPR. As such, data controllers and processors remain reliant on DPAs for guidance on compliance,.which unfortunately will generally lack the sector-specificity that makes codes of conduct attractive in terms of effective application of the GDPR.
Content of the Codes of Conduct
Article 40(1) GDPR clarifies that codes of conduct must be tailored to “specific features” of a sector, as well as the “specific needs of micro, small and medium-sized enterprises”. Recital 98 and 99 GDPR provide additional information as to how the content of these codes of conduct may be developed. The former highlights that the codes should take into account “risk likely to result from the [relevant] processing for the rights and freedoms of natural persons”. According to the latter recital, the drafter “should consult relevant stakeholders, including data subjects” in order to develop these codes. They should also duly consider the “submissions received and views expressed in response to such consultations”.
Article 40(2) GDPR provides a list of potential topics which the codes may address. It is important to note that the wording of the Article suggests that the list is non-exhaustive and that these elements are not necessarily cumulative. The Article provides the following examples of topics for the codes: fairness and transparency in processing; controllers’ legitimate interests in particular contexts; collection of personal data; pseudonymisation; information to be provided to the public and to data subjects; data subjects’ rights and their exercise; processing children’s personal data (including information to be provided, protection and mechanisms for obtaining parental consent); technical and organisational measures and the obligations to guarantee privacy by design and by default; notification and communication of data breaches to the competent supervisory authority and to affected data subjects; data transfers to third countries or international organisations; or dispute resolution procedures.
Finally, Article 40(4) GDPR outlines that a code of conduct must necessarily contain information on how a monitoring body (provided for in Article 41 GDPR) can ensure compliance with it. It is important to note that such monitoring by these bodies should be carried out “without prejudice to the tasks and powers of supervisory authorities”.
Codes of conduct themselves are not obligatory. Article 40(1) GDPR provides that Member States, DPAs, the EDPB and the European Commission (EC) shall “encourage” actors to develop codes of conduct. This terminology, emphasised by the fact that Article 40(2) GDPR provides that relevant actors “may” draw up such codes, highlights that the codes are developed on a voluntary basis. The EDPB Guidelines also support this reading. However, through a detailed reading of Article 40(1) GDPR, there is a clear obligation imposed on Member States, DPAs, the EDBP and the EC to encourage their draw up. Indeed, the wording of Article 40(1) establishes that they “shall encourage” this (emphasis added).
Associations and other Bodies
According to Article 40(2) GDPR, codes of conduct are to be drafted by trade associations and other bodies “representing categories of controllers or processors”. Therefore, these drafters act as representatives of specific sectors. The EDPB also refers to them as “code owners”. There is some ambiguity in the wording of this GDPR provision. Article 40(1) GDPR outlines that the drawing up of codes must be encouraged without specifying what entities may do so. Only Article 40(2) GDPR makes direct reference to “associations and other bodies”. Therefore, it could be interpreted that a controller or processor can take up the task of drafting a code. However, Recital 98 GDPR makes direct reference to associations and other bodies when addressing the obligation to encourage drawing up of codes of conduct (Article 40(1) GDPR). Similarly, Article 40(5) GDPR only refers to associations and other bodies when specifying the steps to get a code approved. It may therefore be assumed that only such entities may develop these codes. The EDPB supports the suggestion that only associations and other bodies may draft codes.
Target Audience for Codes of Conduct
Generally speaking, codes of conduct developed in accordance with Article 40 GDPR are aimed at categories of controllers and processors within the scope of application of the GDPR. These categories are determined by their varying processing sectors. For example, a code of conduct for processing of personal data by banks would differ from one for the education sector. This is clear from the wording of Article 40(1) GDPR, which specifies that the codes should take into account “the specific features of the various processing sectors”. However, Article 40(3) GDPR provides that certain codes of conduct can be followed by controllers and processors of personal data that are not subject to the GDPR. Such codes must not only be approved by the competent DPAas per Article 40(5) GDPR, but must also have gained general validity from the EC pursuant to Article 40(9) GDPR. The third country controllers and processors should also make “binding and enforceable commitments” (i.e. contractual or other legally binding instruments). Should entities not subject to the GDPR adhere to them, these codes of conduct will act as appropriate safeguards in the context of transfers of personal data to third countries or international organisations.[See Article 46(2)(e) GDPR.] The hope is that international codes will lead to the “promotion and cultivation of the level of protection which the GDPR provides to the wider international community”.
Approval of Codes of Conduct
Article 40(5) GDPR outlines that associations and other bodies which “intend to prepare a code of conduct or to amend or extend an existing [one]” must submit their draft to the competent DPA. Once the code owner has submitted the draft, amendment or extension, in either an electronic or written format, the competent DPA should review the code of conduct against the admissibility criteria and the conditions for approval which will be discussed in the following subsections.The DPA will then approve the code, amendment or extension when it “provides sufficient appropriate safeguards”. Not much detail is provided by the provisions in the GDPR with regards to the admissibility criteria and conditions for approval. Therefore, much of the following discussion is derived from the EDPB Guidelines, which elaborate on these requirements.
Although Article 40(5) GDPR mentions that the competent DPA will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete rules on this. However, the EDPB Guidelines explain how code owners may identify the competent DPA in its Annex 2. This document provides factors that can be considered such as: the Member State where most of the processing activity takes place, or where the processing sector is predominant; the Member State where data subjects are most affected; the Member State where the drafting association or other body has its headquarters; the Member State where the monitoring body will have its headquarters; or the Member State where a DPA has developed initiatives in the code of conduct’s specific field.
Conditions for Admissibility of a Draft Code
The EDPB Guidelines provide a series of conditions that code drafters should fulfil before considering submitting their code, amendment or extension to the competent DPA for approval. The content of the draft code, amendment or extension will not be reviewed further if it fails to fulfil the criteria for admissibility outlined below.
The first step for admissibility of a draft code of conduct is to have a “clear and concise explanatory statement”. This will include an explanation of: the purpose of the code; the scope of the code; and the way in which it will foster compliance with the GDPR. Supporting documentation will also provide additional clarity.
The draft code must be drafted by an association or other bodies representing categories of controllers and processors (Article 40(2) GDPR). The EDPB highlights that code owners must demonstrate to the competent authority that they fall within the meaning of “associations and other bodies” before submitting the code for approval. The Guidelines add that this entails providing proof of their capability to address the needs of controllers and processors and understanding of their processing activities.
The scope of application of the code must be sufficiently precise. This includes information on the type of processing performed, and the controllers and processors targeted by it. The drafters must clarify whether the code applies to processing within one or several Member States. This will then facilitate the determination of whether further steps must be taken (eg. general validity from the Commission, as elaborated upon in Article 40(9) GDPR).
The drafters must similarly ensure that steps for monitoring compliance are clearly laid out in the code of conduct. They must also provide for a monitoring body and the mechanisms that this body will apply to ensure compliance with it. The code drafters must consult relevant stakeholders such as data subjects, as well as controllers and processors, before the draft is considered admissible. This aspect is established in Recital 99 GDPR.
If national legislation applies, the association or other body drafting the code must confirm that it does not infringe such provisions. According to the EDPB, this is particularly the case if the code involves a sector which is specifically regulated by national law, or the processing at stake is subject to specific assessment requirements under national law.
The code must be written in the language in which the competent authority works in. Transnational codes, however, should also have an English version of the code, in addition to one in the competent DPA’s language. The code owner must ensure that they fulfil all the above conditions before submitting the code of conduct for approval. Annex 3 of the EDPB Guidelines provides a possible checklist for a code owner to verify this. They can then present it to the competent DPA.
Criteria for getting Approval
The EDPB Guidelines also provide a series of criteria that must be fulfilled by code owners in order to gain formal approval for their code, amendment or extension from the competent DPA. The following sections reflect the minimum cumulative requirements for approval.
Firstly, the code must address a specific need or a data protection issue that is common in a sector, or in relation to a processing activity by a category of controllers or processors. The code owner must also demonstrate that it understands relevant processing issues, and clearly show how the code proposes to resolve them in an “effective and beneficial” way for their members and for data subjects. Without this, the code cannot get approval from the competent authority.
A key criterion for getting a code of conduct approved is described in Recital 98 GDPR: the code owner must ensure that the code “facilitate[s] the effective application of this Regulation” in the sector or processing activity it seeks to address. According to the EDPB Guidelines, in order to gain approval, the code drafters must ensure that the code of conduct specifies how the GDPR should apply in relation to the targeted processing activities or sector. This includes providing (non-exhaustively): clear improvements to ensure the targeted sector complies with the GDPR; realistic and attainable standards for the controllers and processors targeted; detailed information on data protection areas, such as those outlined in Article 40(2) GDPR; sufficiently clear and effective solutions to concerns over processing in this sector; an “operational meaning” of the Article 5 GDPR principles; and clarifications on any EDPD opinions or guidance for the specific sector.
The EDPB also clarifies that a code drafter cannot simply restate provisions within the GDPR. The codes must supplement the GDPR by providing information on how it “shall apply in a specific, practical and precise manner” which relates to the processing activity or sector at the heart of the code. This can be achieved by using, for example, sector-specific terminology without being too “legalistic”, and by giving examples of good practices.
As outlined in Article 40(5) GDPR, the code of conduct must provide sufficient appropriate safeguards, “taking into account the risk likely to result from the processing for the rights and freedoms of natural persons” (Recital 98 GDPR). An oversight and compliance monitoring mechanism is a requirement stipulated under Article 40(4) GDPR. According to the EDPB, structures and procedures for enforcing the code must be stipulated by the code owner before gaining approval. This includes identifying a monitoring body within the meaning of Article 41 GDPR. Such monitoring mechanisms must be “clear, suitable, attainable, efficient and enforceable (testable)”, according to the Guidelines.
Approval from the Competent DPA
Subject to the code owners fulfilling the admissibility and approval requirements outlined above, the competent DPA can approve the draft code, amendment or extension pursuant to Article 40(5) GDPR. The EDPB Guidelines suggest that the DPA should do so within a “reasonable period of time”[Unless a specific time for approving a code of conduct is provided for in national law.] and update the code owners throughout the approval process. The DPA should motivate its approval in line with the prerequisite criteria for admissibility and approval, and in cases when it does not approve a code, it should provide a reasoning for its opinion. This can then enable the code owners to redraft and re-submit the code if they wish to do so. Codes of conduct relating to processing activities in several Member States are transnational codes, which must be granted “general validity” (Articles 40(7) GDPR to 40(10) GDPR).
Role of the DPAs and the EDPB
The competent DPA[Details concerning the competency of the data protection authority outlined apply to transnational codes.] with which the code owner has submitted the draft code, must determine whether this code fulfils the admissibility criteria mentioned above before proceeding. After this initial step, the authority will then notify other DPAs about the transnational code of conduct, pursuant to Article 40(7) GDPR. These DPAs will then confirm whether they are “supervisory authorities concerned” (see Article 4(22)(a)(b) GDPR). Finally, the competent DPA will cooperate with them in line with the consistency mechanism found under Article 63 GDPR. This includes sending a draft of the code of conduct that the main DPA intends to approve to the other concerned supervisory DPAs, which will have a 30 day time frame to give their feedback on it. As per Article 40(7) GDPR, the main DPA must then submit the draft code, amendment or extension, along with any responses from concerned DPAs, to the EDPB.
The EDPB will then generate an opinion as to whether the code of conduct complies with the GDPR, as per Article 40(7) GDPR. According to the terminology of Articles 40(7) and 40(8) GDPR, the EDPB’s opinion should identify whether the draft code provides “appropriate safeguards”. This opinion shall follow the Rules of Procedure of the EDPB, as well as Article 64 GDPR. After confirming that the code of conduct provides “appropriate safeguards”, there is an obligation[Wording: "shall".] imposed on the EDPB to “submit its opinion to the Commission” (Article 40(8) GDPR). After receiving the EDPB’s opinion, the EC will be the one to determine, “by way of implementing acts”, whether to grant the code of conduct “general validity within the Union” as per Article 40(9) GDPR. This provision specifies that the aforementioned “implementing acts” must be adopted in line with the examination procedure under Article 93(2) GDPR.
Publication of Approved Codes and Codes with General Validity
Article 40 GDPR provides additional requirements for publishing codes of conduct, amendments or extensions once they have been approved. This relates to both codes of conduct relating to processing activities in one Member State (national codes) and those relating to processing activities in several Member States (transnational codes). The competent DPA that has approved a national code of conduct must then register and publish it in accordance with Article 40(6) GDPR. The same applies to any amendments or extensions submitted for approval. According to Article 40(10) GDPR, the EC is responsible for the “appropriate publicity” that should be given to a transnational code of conduct which has been granted “general validity”. It is uncertain whether the relevant DPAs will have to publish the transnational codes of conduct that they sought to approve prior to the cooperation mechanism, as they must do with national codes according to Article 40(6) GDPR.
Register of Codes of Conduct
Article 40(11) GDPR stipulates that the EDPB shall keep a register on “all approved codes of conduct, amendments and extensions” which is freely accessible and available to all “by way of appropriate means”. The wording in Article 40(11) GDPR only specifically refers to “approved codes” without mentioning those with “general validity”. This could lead to some ambiguity as to the scope of this provision. Nonetheless, it is presumed that this requirement to register codes of conducts applies to approved codes within the meaning of Articles 40(5) and (6) GDPR, as well as codes granted “general validity” by the EC as per Articles 40(7), (8), (9) and (10) GDPR. The reason behind this presumption is that it would not be logical for the EDPB to have to register codes of conduct approved by competent DPAs throughout the European Union, but not those subject to their opinion before submitting them to the EC for “general validity”. Additionally, the wording or Article 40(11) GDPR refers to “all approved codes of conducts”, which most likely includes the “[Commission] approved codes” referred to in Article 40(10) GDPR. The EDPB supports this view. The register can be found on the EDPB website. So far, only two codes of conduct (national ones) have been collated on this register. This includes a code of conduct by Nederland ICT (NL Digital) in the Netherlands, and one by Autocontrol (Asociación para la Autorregulación de la Comunicación Comercial) in Spain. However, it is apparent that there are various other codes of conduct that do not yet appear on the EDPB register, such as the codes of conduct approved by the Austrian, Dutch, or Italian DPAs.
→ You can find all related decisions in Category:Article 40 GDPR
- ↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 290 (Bruylant 2017).
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 8 (available here).
- ↑ There were only three codes of conduct approved under the GDPR in the EDPB Register when this commentary was written (17/03/2022, see here).
- ↑ Article 40(2) uses the phrases “such as with regard to” before listing these potential topics, suggesting that they are only a few examples amongst others. The EDPB agrees with this reading of the Article; see EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 7 (available here).
- ↑ Article 40(2) GDPR uses the word “or” between subparagraph (j) and (k).
- ↑ Consider the wording: “shall”.
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 6-7 (available here).
- ↑ The EDPB even provides a non-exhaustive list of possible “code owners” including “trade and representative associations, sectoral organisations, academic organisations and interest groups”; see EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 11 (available here).
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 10 (available here).
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 17 (available here).
- ↑ As per Article 55 GDPR.
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 17 (available here).
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 11-14 (available here).
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 15-17 (available here).
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 18 (available here).
- ↑ Presumably (as there is no information in the GDPR nor the Guidelines) in line with the conditions of approval outlined.
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 20 (available here).
- ↑ See Article 40(3) GDPR which refers to both types of codes distinctly: “codes of conduct approved pursuant to paragraph 5 of this Article and [codes of conduct] having general validity pursuant to paragraph 9 of this Article”.
- ↑ EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 20 (available here).
- ↑ See, for example the Spanish DPA (here); Dutch DPA (here); Italian DPA (see here) and the Austrian DPA (here, here and here).