Global menu

Our global pages

Close

EDPB provides further insight into GDPR Codes of Conduct

  • Ireland
  • Privacy, data protection and cybersecurity

10-06-2020

The European Data Protection Board (“EDPB”), the body tasked with ensuring consistent application of the General Data Protection Regulation 2016/679 (“GDPR”) across Europe, recently published its 2019 Annual Report (the “Report”). The Report provides insight into guidelines on Codes of Conduct for the application of the GDPR (“Codes”).

1. What are Codes of conduct?

The Report provides that Codes are a mechanism which can be used to assist organisations in demonstrating their GDPR compliance. They aim to establish a set of rules which contribute to the proper application of the GDPR in a practical and transparent manner, taking on board the nuances of a particular sector and its processing activities. Codes cover topics such as fair and transparent processing, legitimate interests pursued by controllers in specific contexts, the collection of personal data, the pseudonymisation of personal data, the information provided to individuals and the exercise of individuals’ rights, the information provided to and the protection of children, technical and organisational measures, data protection by design and by default, security measures, breach notification, data transfers outside the EU and dispute resolution procedures.

2. Are there any Guidelines for Codes?

In 2019, the EDPB adopted Guideline 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The aim of the Guidelines is to provide practical guidance and interpretative assistance in relation to the application of GDPR Articles 40 and 41, which relate to Codes. The Guidelines clarify the procedures and rules involved in the submission, approval and publication of Codes at both national and European level. They set out the minimum criteria required by a Competent Supervisory Authority (“CompSA”) before accepting to carry out a review and evaluation of a Code. They also set out the factors relating to the content to be taken into account when evaluating whether a particular Code provides and contributes to the proper and effective application of the GDPR. 

3. How are Codes developed and approved?

The Guidelines refer to the appropriate procedures for how Codes should be developed and approved. The Guidelines provide that Codes should be a tool for trade, professional, representative, or non-for-profit bodies (“Code Owners”) to support compliance with data protection issues specific to their sector.

3.1 Admissibility of a draft Code

There are a number of conditions to be met before a CompSA can fully assess and review a Code. The Report provides that the following criteria apply:

  • Every draft Code which is submitted for approval must contain an explanatory statement;
  • A Code must be submitted by a representative;
  • The draft Code must have a defined scope;
  • The draft Code must specify whether it is a national or transnational Code;
  • A draft Code which involves processing activities of private, non-public authorities or bodies must also identify a monitoring body;
  • The Code Owners should confirm and demonstrate that an appropriate level of consultation has taken place with the relevant stakeholders when submitting the Code for approval;
  • Code Owners must provide confirmation that the draft Code is in compliance with applicable national legislation; and
  • Code Owners should comply with the language requirements of the CompSA to whom they will submit their Code.

3.2 Criteria for approving Codes

Code Owners should be able to demonstrate that the draft Code:

  • meets a particular need of that sector or processing activity;
  • facilitates the application of the GDPR;
  • specifies the application of the GPDR;
  • provides sufficient safeguards; and
  • provides effective mechanisms for monitoring compliance with a Code.

3.3 Submission, approval and acceptance (national Codes)

The Report provides the following:

(i) Submission - Code Owners should formally submit their draft Code in either an electronic or written format to the CompSA.

(ii) Acceptance of a Code - If the Code is not accepted on the basis of failing to meet the criteria for admissibility, the CompSA will respond to the Code Owners in writing outlining the basis for their decision. If the draft Code meets the criteria, the CompSA should write to the Code Owners.

(iii) Approval - If the CompSA approves a draft Code, it will be necessary for them to register and publish the Code.

3.4 Submission, acceptance and approval (transnational Codes)

After submission and acceptance, the cooperation procedure takes place.

(i) Cooperation - The CompSA will seek a maximum of two co-reviewers to assist with assessing the draft Code.

(ii) Refusal - If the decision made by the CompSA is to refuse referring a draft Code to the EDPB the process will come to an end.

(iii) Preparation for submission to the EDPB - If the CompSA aim to approve the draft Code, before submission to the EDPB, the CompSA will circulate their draft approval to all concerned Supervisory Authorities (“SAs”).

(iv) The EDPB - The CompSA will communicate the decision to all SAs as per the consistency mechanisms procedure. The CompSA will also refer the matter to the EDPB in line with their rules of procedure of the GDPR.

(v) Approval - The opinion of the EDPB will be communicated to the CompSA and it will be a matter for the CompSA as to whether it will maintain or amend its draft decision.

4. What are the accreditation requirements for a monitoring body?

The following are the accreditation requirements for a monitoring body:

  • independence;
  • expertise;
  • appropriate governance structures and procedures;
  • transparent complaints handling; and
  • review mechanisms.                                                                         

5. When can we expect Irish Codes?

The Report noted that EEA national SAs must request an opinion from the EDPB before adopting any decision on subjects specified by the GDPR as having cross-border implications. This applies when a national SA intends to adopt a draft Code relating to processing activities.  

The Report noted that the EDPB has already adopted two opinions on SA draft accreditation requirements for a Code monitoring body pursuant to GDPR Article 41. In July 2019, it adopted Opinion 9/2019 on the Austrian SA’s draft. The EDPB agreed that all Codes covering non-public authorities and bodies are required to have accredited monitoring bodies in accordance with the GDPR.

In December 2019, the EDPB adopted Opinion 17/2019 on the UK SA’s draft. In this Opinion, the EDPB proposed some changes to the draft accreditation requirements in order to ensure consistent application of the accreditation of monitoring bodies.

The Irish Data Protection Commission (the DPC) has also recently requested a formal opinion of the EDPB on its draft accreditation criteria for independent monitoring bodies for Codes and its draft additional accreditation requirements for Certification bodies. In a public statement on 7 February 2020, the DPC stated that it anticipated that this process would be concluded by early Q2 2020, from which point it would be encouraging applications for Certification schemes and Codes. Meanwhile the DPC is ready to engage with stakeholders during their design and specification of Codes and Certification schemes.

A draft or proposal for a Code may be sent to the DPC at the following email address: CodesOfConduct@dataprotection.ie. Codes can only be accepted from associations or other bodies representing categories of controllers or processors.

For further information on this topic please contact

Marie McGinley, Partner and Head of IP, Technology & DP - mariemcginley@eversheds-sutherland.ie

Neasa Ní Ghráda, Senior Associate in IP, Technology & DP - neasanighrada@eversheds-sutherland.ie