Article 41 GDPR

From GDPRhub
Article 41 - Monitoring of approved codes of conduct
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 41 - Monitoring of approved codes of conduct

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

(a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3. The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of CHAPTER VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5. The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

6. This Article shall not apply to processing carried out by public authorities and bodies.

Relevant Recitals

You can help us fill this section!

Commentary

Article 41 GDPR complements Article 40 GDPR by providing that compliance with any approved code of conduct must be monitored by an accredited body with the appropriate level of expertise in the sector covered by the code. Although the Data Protection Directive 95/46/EC (DPD) included a provision on codes of conduct (Article 27(1) DPD), this did not include any information on how compliance with such codes should be monitored. Accordingly, it was left to national law to determine whether this monitoring should take place, and which specific body may undertake this task.[1] According to the European Data Protection Board (EDPB) Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (EDPB Guidelines), the aim of Articles 40 and 41 GDPR[2] is to ensure a “practical, potentially cost effective and meaningful method to achieve greater levels of consistency” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).[3]

(1) The monitoring body

The monitoring body provided for in Article 41 GDPR is tasked with ensuring  compliance with the code of conduct elaborated as per Article 40 GDPR. This body must be accredited by the competent Data Protection Authority (DPA) in charge of the code.

A body with an appropriate level of expertise

As mentioned in Article 40(4) GDPR on the elaboration of codes of conduct, a monitoring body must be designated within it. Article 41(1) GDPR specifies that such a body will ensure members’ compliance with these codes.

The EDPB highlights that the GDPR does not prescribe the type of body which Article 41 GDPR refers to. Instead, the EDPB Guidelines suggest that it is for code drafters to define the structure of the body, including whether it is an internal or external one. For example, an internal body could be in the form of an “ad hoc internal committee”, or another department constituted independently from the code owners.[4]

According to the wording of Article 41(1) GDPR, the monitoring body must have an “appropriate level of expertise” in the sector targeted by the code. This requirement is, however, undefined in the GDPR. “Expertise” is only referred to again under Article 41(2)(a) GDPR, although briefly. Additionally, Article 41(1) GDPR specifies that a monitoring body must be “accredited” by the competent DPA for the purpose of ensuring compliance with the code of conduct. The criteria for this accreditation is provided in the section below.

It is also important to point out that such level of expertise and accreditation should be “[w]ithout prejudice to the tasks and powers of the competent supervisory authority” as outlined in the first line of Article 41(1) GDPR. This entails that the crucial role played by competent DPAs in enforcing GDPR, cannot be undermined or side-casted by an accredited monitoring body ensuring compliance with a code of conduct for a specific sector or processing activity.

(2) Criteria for accreditation from the competent supervisory authority

The GDPR requires that the competent DPA accredit a monitoring body before it can perform its task according to the code of conduct. This is clear from the wording of Article 41(1) GDPR. Article 41(1) GDPR does not define accreditation. Nonetheless, Article 41(2) GDPR provides a criterion against which a supervisory authority will assess the suitability of the monitoring body to ensure compliance with the relevant code of conduct. It is uncertain whether a monitoring body which complies with the criteria in Article 41(2) GDPR may nonetheless see its accreditation refused, and there is little precision as to whether this criterion is exhaustive or not in the GDPR and the EDPB Guidelines. However, due to the wording of the Article, “may be accredited”, it is possible to argue that certain DPAs can decide to be more strict, and require additional criteria to be fulfilled. In any case, the following criteria must be fulfilled as a baseline,  and it is the code owner’s task  to demonstrate that their chosen monitoring body fulfils them.[5]

(a) Demonstrated independence and expertise

It is clear from Article 41(1) GDPR that the body must have an “appropriate level of expertise” in the subject matter the code of conduct aims to ensure effective compliance with. This is also a requirement of the process specified in Article 41(2)(a) GDPR, according to which the monitoring entity “may be accredited [...] where that body has: (a) demonstrated its independence and expertise”. The threshold for this level of expertise is: “to the satisfaction of the competent supervisory authority”. Therefore, it is possible for there to be divergences between Member States. However, the EDPB provides some guidance as to what this entails. For example, it clarifies that the monitoring body should show that it has knowledge of, and past experience in, the sector targeted by the code of conduct. Similarly, the monitoring body should demonstrate an in-depth understanding of data protection law as applicable to the type of processing covered by the code of conduct. Experience in monitoring compliance is also recommended.[6]

Article 41(1)(a) GDPR also requires that the monitoring body be independent. According to the EDPB Guidelines, this requirement for accreditation refers to the monitoring body’s “impartiality of function from the code members and the profession, industry or sector” in question.. Additionally, the monitoring body should be independent from the code owners.[7] The Guidelines also provide some suggestions of areas that can be used to demonstrate independence. These are only examples, and are non-exhaustive:

-   independent funding;

-   independence in the appointment of the monitoring body’s staff and management structure, such as though “informational barriers” or “separate reporting management structures”;

-   independence in its processes for making decisions, with the willingness to impose sanctions for non-compliance with the code; and/or

-   independence in the organisational structure of the monitoring body.

The requirement of independence evidently applies regardless of whether an internal or external monitoring body is chosen by the code owners. Again, the threshold for this level of independence is “to the satisfaction of the competent supervisory authority”. Therefore, it is possible for there to be divergences between Member States as well. However, the EDPB also provides some guidance in that respect. For example, the monitoring body should be able to demonstrate that it will act without instructions or fear of reprimand from third parties. Similarly, it must be able to show that it has implemented safeguards so as to mitigate any risk with regards to its impartiality.[8]

(b) Established procedures for assessing controllers and processors

The monitoring body must also have procedures in place that enable them to (i) assess whether the controllers and processors are eligible to apply the code of conduct[9] as well as (ii) ensure their compliance with it and (iii) review its operation. These three requirements must be satisfied before a monitoring body can be accredited according to Article 41(1)(b) GDPR. Although this provision only refers to “procedures” and not “structures”, the EDPB has interpreted the paragraph as including both.

The EDPB also interprets this provision to mean that “comprehensive vetting procedures” are required to assess whether the controllers and processors concerned can be considered as formally adhering to the code of conduct. The Guidelines provide suggestions of what these vetting procedures may look like:

-   randomised audits (these carry even more weight if published);

-   inspections on a regular basis (e.g. annually);

-   use of reports; and/or

-   use of questionnaires.

However, this is not a comprehensive list, and bodies seeking accreditation may adopt any procedure or structure that addresses the three requirements above. The EDPB also notes that the established procedures must be supported by sufficient monetary and human resources to be implemented effectively in practice.[10] As mentioned in the section above, Article 41(2)(b) GDPR requires that the monitoring body review the code of conduct. For this to be effectively achieved, the monitoring body must establish a procedure for doing so,  which should in turn assess the code’s relevance[11] and its contribution to “the proper application of the GDPR”.[12]

(c) Established procedures and structures for complaints handling

Additionally, Article 41(1)(c) GDPR stipulates that the monitoring body must have clear procedures and structures to address complaints regarding infringements or poor implementation of the code by a controller or processor. To achieve this, sufficient resources and powers are crucial. Additionally, the willingness to impose corrective measures (such as the suspension of a membership to the code of conduct) is also necessary. The handling of a complaint through procedures and structures, must abe transparent to the data subject and to the general public, according to Article 41(1)(c) GDPR. This entails “publicly accessible” processes for complaints. It may also imply, where relevant, communication to concerned parties and DPAs.[13]

(d) No conflict of interests

Article 41(2)(d) GDPR makes it clear that the code owners must demonstrate that the designated monitoring body can perform its tasks and duties without any conflict of interests. The EDPB specifies that the code owners must do so by providing evidence that there are effective safeguards to ensure that the monitoring body “will not engage with an incompatible occupation”. As with the independence requirement mentioned above, this entails that there should be no direct or indirect external influence guiding the body’s actions.

(3) Submitting the draft criteria for accreditation to the EDPB

According to Article 41(3) GDPR, the competent DPAs in charge of assessing whether the monitoring body satisfies the accreditation criteria must themselves submit the “draft criteria for accreditation” to the EDPB in line with the consistency mechanism under Article 63 GDPR.

(4) Role of the monitoring body

The role that a monitoring body plays can be understood from Article 41(4) GDPR. This role is interpreted “[w]ithout prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII”. The monitoring body is primarily tasked with ensuring compliance with the code of conduct. Article 41(4) GDPR outlines that it “shall” take action when an infringement by a controller or processor takes place. The provision itself suggests possible sanctions to apply against an infringing code member, such as the “suspension or exclusion of the controller or processor concerned from the code”. Under Article 41(4) GDPR, a monitoring body has an obligation to communicate with the DPAs of any action it takes in the event of an infringement. It must also provide the reasoning behind this action. The EDPB Guidelines suggest that this requirement for monitoring bodies should be considered a criterion for accreditation.[14] However, given that this obligation does not fall within the list of requirements to guarantee accreditation found in Article 41(2) GDPR, it is argued that it appears more as an ex post obligation of a monitoring body than a criterion for the ex ante accreditation process.

(5) Revoking accreditation

Article 41(5) GDPR stipulates that the competent DPA which approved the monitoring body may also revoke this accreditation. This occurs when the conditions for accreditation are no longer fulfilled. Additionally, revocation of the accreditation is also a remedy for any infringement of the GDPR carried out by the monitoring body. According to the EDPB, the code owners must have provided for such a revocation. Additionally, because of the severe consequences this can entail (e.g. the suspension of the code of conduct due to the absence of a monitoring body), the DPA must give the monitoring body the opportunity to remedy the concern identified.[15] It is uncertain whether the DPA must cooperate with the EDPB when considering revoking an accreditation, as it does in the context of the draft criteria for accreditation (Article 41(3) GDPR).

(6) Non-application to public authorities and bodies.

As Article 41(6) GDPR clearly lays out, this provision “shall not apply to processing carried out by public authorities and bodies”.

Decisions

→ You can find all related decisions in Category:Article 41 GDPR

References

  1. Kamara, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 41 GDPR, p. 727 (Oxford University Press 2020).
  2. Articles 40, 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.
  3. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 5 (available here).
  4. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 22 (available here).
  5. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 21 (available here).
  6. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 23 (available here).
  7. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 21 (available here).
  8. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 22 (available here).
  9. For example, that they operate within the sector target by the code, or their conduct targeted processing activities.
  10. Resources necessary are proportionate to the number of code members and the risk associated with this particular sector; see EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 24 (available here).
  11. In light of any sector-specific, industry and/or technological developments.
  12. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 25 (available here).
  13. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 23 (available here).
  14. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), pp. 24-25 (available here).
  15. EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), p. 26 (available here).