Article 41 GDPR
|← Article 41 - Monitoring of approved codes of conduct →|
Legal Text[edit | edit source]
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
- (a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
- (b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
- (c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
- (d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
3. The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions ofCHAPTER VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
5. The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
6. This Article shall not apply to processing carried out by public authorities and bodies.
Relevant Recitals[edit | edit source]
You can help us fill this section!
Commentary[edit | edit source]
Overview[edit | edit source]
Article 41 of the General Data Protection Regulation (GDPR) complements Article 40 by providing that compliance with any approved code of conduct must be monitored by an accredited body with the appropriate level of expertise in the sector concerned by the code.
Although the Data Protection Directive 95/46/EC included a provision on codes of conduct (Article 27(1)), this did not include any information on how compliance with such codes may be monitored. Accordingly, it was for national law to determine whether and which specific body may undertake the task of monitoring compliance with a code of conduct.
According to the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (hereafter: EDPB Guidelines), the aim of Article 40 and 41 GDPR is to ensure a “practical, potentially cost effective and meaningful method to achieve greater levels of consistency” in data protection law. This is particularly relevant given the fact that Member States may give effect to EU data protection law in ways which differ from their counterparts (e.g. where processing targeted by a code of conduct relates to a particular Member State).
The monitoring body.[edit | edit source]
The monitoring body provided for in Article 41 GDPR is tasked with ensuring that compliance with the code of conduct elaborated as per Article 40. However, this body must be accredited by the competent supervisory authority in charge of the code.
A body with an appropriate level of expertise.[edit | edit source]
As mentionned in Article 40(4) on the elaboration of codes of conduct, a monitoring body must be designated in the relevant code. Article 41(1) specifies that such a body will ensure compliance of code members with said code.
The EDPB highlights that the GDPR does not prescribe the type of body targeted by Article 41. Instead, the Guidelines suggest that it is for code owners to define the structure of the body: including whether it is an internal or external body. An internal body could be in the form of an “ad hoc internal committee” or another department constituted independently from the code owners, for example.
According to the wording of Article 41(1), the monitoring body must have an “appropriate level of expertise” in the sector targeted by the code. This requirement is, however, undefined in the Regulation. “Expertise” is only referred to again under Article 41(2)(a), although briefly.
Additionally, Article 41(1) specifies that a monitoring body must be “accredited” by the competent supervisory authority for the purpose of ensuring compliance with the code of conduct. The criteria for this accreditation is provided in the section below (4.1.2).
It is also important to point out that such level of expertise and accreditation should be “[w]ithout prejudice to the tasks and powers of the competent supervisory authority” as outlined in the first line of Article 41(1). This entails that the crucial role played by competent supervisory authorities play to enforce the GDPR cannot be undermined or sidecasted by an accredited monitoring body ensuring compliance with a code of conduct for a specific sector or processing activity.
[edit | edit source]
The GDPR requires that the competent supervisory accredit a monitoring body before it can perform its task according to the code of conduct. This is clear from the wording of Article 41(1).
Article 41(1) does not define accreditation. Nonetheless, Article 41(2) provides a criterion against which a supervisory authority will assess the suitability of the monitoring body to ensure compliance with the relevant code of conduct. It is uncertain whether a monitoring body which complies with the criteria in Article 41(2) may nonetheless see its accreditation refused: there is little precision as to whether this criterion is exhaustive or not in the GDPR and the EDPB Guidelines. However, due to the wording of the Article, “may be accredited”, it is possible to argue that certain competent supervisory authorities can decide to be more strict and require additional criterion to be fulfilled.
In any case, the following criteria must be fulfilled as a baseline. It is the task of the code owners to demonstrate that their chosen monitoring body fulfils the following criteria.
Demonstrated expertise.[edit | edit source]
It is clear from Article 41(1) that the body must have an “appropriate level of expertise” in the subject-matter of the code of conduct it aims to ensure effective compliance with.
This is also a requirement of the accreditation process as specified in Article 41(1)(a): “may be accredited... where that body has: / (a) demonstrated its independence and expertise”.
The threshold for this level of expertise is: “to the satisfaction of the competent supervisory authority”. Therefore, it is possible for there to be divergences between Member States. However, the EDPB provides some guidance as to what this entails. For example, it clarifies that the monitoring body should show that it has knowledge of, and past experience in, the sector targeted by the code of conduct. Similarly, the monitoring body should demonstrate an indepth understanding of data protection law as applicable to the type of processing at stake in the code of conduct. Experience monitoring compliance is also recommended.
Demonstrated independence.[edit | edit source]
Article 41(1)(a) also requires that the monitoring body be independent. According to the EDPB Guidelines, this requirement for accreditation refers to the monitoring body’s “impartiality of function from the code members and the profession, industry or sector” at stake. Additionally, the monitoring body should be independent from the code owners.
The Guidelines also provides some suggestions of areas that can be used to demonstrate independence. These are only examples and are non-exhaustive:
- independent funding;
- independence in the appointment of the monitoring body’s staff and management structure, such as though “informational barriers” or “separate reporting management structures”;
- independence in its processes for making decisions, with the willingness to impose sanctions for non-compliance with the code; and/or
- independence in the organisational structure of the monitoring body.
The requirement of independence evidently applies regardless of whether a internal or external monitoring body is chosen by the code owners.
Again, the threshold for this level of independence is “to the satisfaction of the competent supervisory authority”. Therefore, it is possible for there to be divergences between Member States. However, the EDPB provides some guidance in that respect: for example, the monitoring body should be able to demonstrate that it is and will act without instructions or fear of reprimand from third parties. Similarly, it must be able to show that it has implemented safeguards so as to mitigate any risk with regards to its impartiality.
Established procedures for assessing controllers and processors.[edit | edit source]
The monitoring body must also have procedures in place that enable them to (i) assess whether the controllers and processors are eligible to apply the code of conduct, as well as (ii) ensure their compliance with it and (iii) review the operation of the code. These three requirements must be satisfied before a monitoring body can be accredited according to Article 41(1)(b). Although the Article only refers to “procedures” and not “structures”, the EDPB has interpreted the paragraph as including both.
The EDPB also interprets this provision to mean that “comprehensive vetting procedures” are required to assess whether the controllers and processors concerned can be considered as formally adhering to the code of conduct. The Guidelines provide suggestions of what these vetting procedures may look like:
- randomised audits (these carry even more weight if published);
- inspections on a regular basis (e.g. annually);
- use of reports; and/or
- use of questionnaires.
However, this is not a comprehensive list as bodies seeking accreditation may adopt any procedure or structure that addresses the three requirements above.
The EDPB notes that the established procedures must be supported by sufficient monetary and human resources to be implemented effectively in reality.
Mechanisms for periodical reviews.[edit | edit source]
As mentioned in the section above, Article 41(2)(b) requires that the monitoring body review the code of conduct. For this to be effectively achieved, the monitoring body must establish a procedure for reviewing the code of conduct, including its relevancy and its contribution to “the proper application of the GDPR”.
Established procedures and structures for complaints handling.[edit | edit source]
Additionally, Article 41(1)(c) stipulates that the monitoring body must have clear procedures and structures to address complaints about infringements or poor implementation of the code by a controller or processor.
To achieve this, sufficient resources are crucial. Additionally, powers are necessary, as well as the willingness to impose corrective measures such as the suspension of a membership to the code of conduct.
The handling of the complaint, through procedures and structures, must also be transparent to the data subject and the general public, according to Article 41(1)(c). This entails “publicly accessible” processes for complaints. It may also imply, where relevant, communication to concerned parties and supervisory authorities.
No conflict of interests.[edit | edit source]
Article 41(2)(d) makes it clear that the code owners must demonstrate that the designated monitoring body can perform its tasks and duties without any conflict of interests.
The EDPB specifies that the code owners must do so by providing evidence that there are effective safeguards to ensure that the monitoring body “will not engage with an incompatible occupation”. As with the independence requirement mentioned above, this entails that there should be no direct or indirect external influence guiding the body’s actions.
Submitting the draft criteria for accreditation to the EDPB.
According to Article 41(3) GDPR, the competent supervisory authority in charge of assessing whether the monitoring body satisfies the accreditation criteria must themselves submit the “draft criteria for accreditation” to the EDPB in line with the consistency mechanism (Article 63 GDPR).[M1]
Role of the monitoring body.[edit | edit source]
The role that a monitoring body plays can be understood from Article 41(4) GDPR. This role is interpreted “[w]ithout prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII”.
Taking action to address infringements of the code.[edit | edit source]
The monitoring body is primarily tasked with ensuring compliance with the code of conduct. Article 41(4) outlines that it “shall” take action. The Article itself suggests possible sanctions to apply against an infringing code member: “suspension or exclusion of the controller or processor concerned from the code”.
[edit | edit source]
Under Article 41(4) GDPR, a monitoring body has an obligation to communicate with the supervisory authorities of any action it takes in the event of an infringement. It must also provide the reasoning behind this action.
The EDPB Guidelines suggest that the requirement for monitoring bodies should be considered a criterion for accreditation. However, given that this obligation does not fall within the list of requirements to guarantee accreditation found in Article 41(2), it is argued that it appears more as an ex post obligation of a monitoring body than a criterion for the ex ante accreditation process. Hence, this aspect of Article 41 GDPR is part of the analysis on the role of the body.
Revoking accreditation.[edit | edit source]
Article 41(5) stipulates that the competent supervisory authority which approved the monitoring body may also revoke this accreditation. This occurs when the conditions for accreditation are not fulfilled anymore. Additionally, revocation of the accreditation also remedies any infringement of the GDPR by the monitoring body. According to the EDPB, the code owners must have provided for such a revocation. Additionally, due to the severe consequences (e.g. the suspension of the code of conduct for absence of a monitoring body), the competent supervisory authority must give the monitoring body the opportunity to remedy the concern identified.
It is uncertain whether the competent supervisory authority must cooperate with the Board when considering revoking the accreditation, as it does in the context the draft criteria for accreditation (Article 41(3), see section 4.1.4. above).
[edit | edit source]
As Article 41(6) clearly lays out, the Article “shall not apply to processing carried out by public authorities and bodies”.
 Irene Kamara, “Article 41. Monitoring of approved codes of conduct” in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds), The EU General Data Protection Regulation (GDPR) – A Commentary (Oxford University Press 2020) 727.
 Articles 40 and 41 GDPR are connected. The former concerns the drawing up of codes of conduct whereas the latter concerns the monitoring of the application of those codes by appropriate bodies.
 EDPB, “Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679”, adopted on 4 June 2019 after public consultation, rev.02, 5.
 ibid 22.
 ibid 21.
 ibid 21.
 ibid 23.
 ibid 21.
 ibid 22.
 ibid 22.
 i.e. that they operate within the sector target by the code, or their conduct targeted processing activities.
 ibid 23.
 Resources necessary are proportionate to the number of code members and the risk associated with this particular sector. See ibid 23.
 In light of any sector-specific, industry and/or technological developments.
 EDPB (n3) 25.
 ibid 24.
 ibid 24.
 ibid 23.
 ibid 24-25.
 ibid 26.
Decisions[edit | edit source]
→ You can find all related decisions in Category:Article 41 GDPR