The General Data Protection Regulation (GDPR), which came into force on 25 May 2018 lays out general rules about data protection. The GDPR contains no exemptions for non-profit organisations Thus association and trade associations shall be able to show that they are compliant with the GDPR.
The principle of accountabilityis a cornerstone of the GDPR. This implies that an organisation is responsible for complying with all data protection principles and is also responsible for demonstrating compliance. This means, among other things, that they must show which personal data they collect, how they use data, how long they store it and how they secure it.The GDPR provides organisations with a set of tools to help demonstrate accountability. Among them, the implementation of codes of conduct is encouraged.
What are Codes of Conduct?
Codes of Conduct, under the GDPR, are voluntary sets of rules that assist members of that Code with data protection compliance and accountability in specific sectors or relating to particular processing operations. Trade associations and other representative bodies may draw up Codes of conduct that identify and address data protection issues that are important to their members, such as fair and transparent processing, pseudonymisation or the exercise of individual ’s rights.These Codes can help organisations to ensure they follow best practice and rules designed specifically for their sector or processing operations, Members will be able to sign up to an approved Code of Conduct to enhance and demonstrate their compliance with data protection legislation.
However, a GDPR ‘Code of Conduct’ is more than just a guidance or best practice document, and it must materially specify or enhance the application of data protection law to a certain sector or processing activity – not merely be a restatement of the GDPR. It will take time, consideration, and effort to develop, approve, and ensure the ongoing monitoring of a Code of Conduct.
How are Codes of Conduct developed and approved?
The initiative to implement a Code of Conduct must be carried by associations (so-called “Code Owners”) acting as representatives of a group of stakeholders in a given ecosystem, to agree on an accountability toolbox taking into consideration the practice of such ecosystem.
Codes of conduct may cover various GDPR’s topics such as:
- rules about fair and transparent processing;
- means and best practice for the collection of personal data;
- information provided to the public and to data subjects;
- the use of the legitimate interest as a legal basis, or other available legal bases; and
- the transfer of personal data from the EU/EEA to third countries or international organisations
However, as already stated, these codes should not just be a mere copy of the relevant GDPR provisions, and must specifically address issues relating to the specific fields or specific processing operations of the ecosystem represented by the Code Owners. In that regard, the Code Owners are encouraged to consult relevant stakeholders when drawing up, amending or extending their Codes of Conduct. The draft Code shall demonstrate that:
- the Code meets a particular need;
- the Code facilitates and specifies the application of the GDPR;
- the processing and territorial scope of the Code has been clearly defined;
- they are an effective representative body;
- they understand the needs of their members;
- they have carried out sufficient consultation with relevant stakeholders; and
- the Code provides sufficient safeguards.
The draft Code must also identify a Monitoring Body and contain effective mechanisms which enable that body to carry out its monitoring functions (as discussed further below).
Once the ecosystem has agreed on a draft, the Code Owners may then submit it for approval, either before the competent national supervisory authority (for strictly national processing activities), or to the European Data Protection Board (EDPB) and the European Commission (for transnational processing activities). By definition, any Code of Conduct which would also cover the transfers of data outside of the European Union would be deemed transnational.
For transnational Codes of Conduct, the relevant data protection authority in view of the Code Owner will centralize the process under the one-stop-shop principle of GDPR[1], and will then liaise with its counterparts in other Member States to cooperate in the review, and, if necessary, amendment the draft Code of Conduct.
Further to this consultation process, the draft Code will be submitted to the EDPB for opinion, which will be communicated to the European Commission. The European Commission may then by way of implementing acts decide that the approved Code of Conduct have general validity throughout the EU.
What it the role of a monitoring body and how are they accredited?
Frédérique Jos is a member of the Paris and Brussels BarsShe assists SMEs in relation to commercial transactions and disputes, especially Franco-Belgian cross-border matters where she provides practical and tailor-made solutions. Frédérique also works in the area of GDPR and provides assistance with the implementation of data protection rules, including the setting up of compliance programmes for small and medium organisations in the commercial or not-for-profit sector.
Although the relevant data protection authority remains ultimately responsible for the application and enforcement of the GDPR and data protection law more generally, the idea of Codes of Conduct is that they specify and enhance the application of the GDPR, and will therefore have a specified Monitoring Body to carry out this important function.
A ‘Monitoring Body’refers to a body/committee or a number of bodies/committees (internal or external to the Code Owners) who carry out the monitoring function to ascertain and assure that the Code is complied with by the members. The identified Monitoring Body or Bodies must have the appropriate standing to meet the requirements of being fully accountable in their role. To this end, every Monitoring Body has to be accredited by the competent supervisory authority
Where can you find more information on Codes of Conduct?
The EDPB has drafted detailed guidelines in relation to the rule concerning both Codes of Conduct and Monitoring Bodies, that provide further clarity to the process. You can find it here.
Benefits of a Code of Conduct
Codes of conduct offer many benefits to all stakeholders within an ecosystem and beyond:
As best practices for a given sector, they act as a guide to achieve and maintain compliance with GDPR requirements;
Code Owners, as the central nervous system of a Code of Conduct, can centralize new challenges to their ecosystem and harmonize the way an ecosystem may face evolution in GDPR enforcement;
Codes of Conduct can help demonstrate accountability, be it in case of an audit by the Supervisory Authority or third party to the ecosystem as well as for processors to benefit from a presumption of sufficient guarantees; and
Adhering to a Code of Conduct projects onto data subjects a corporate culture of data protection and that the companies are processing data in a fair and transparent manner, which will foster trust and confidence from individuals and branding.
[1] The one stop shop mechanism means that if your organisation conducts cross-border data processing, the GDPR will require you to work primarily with the supervisory authority based in the same Member State as your main establishment (usually your EU headquarters) to achieve compliance.