The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance with respect to Articles 40 and 41 of the EU General Data Protection Regulation (“GDPR”). In particular, the Guidelines intend to clarify the rules and procedures for the submission, approval and publication of codes of conduct.
Admissibility of a Draft Code
There are a number of conditions to be met before the competent Supervisory Authority (the “CompSA”) can assess and review a draft code of conduct. The draft code of conduct must, among other qualifications: (1) contain an explanatory statement and supporting documentation on the purpose and scope of the code of conduct, and how it will facilitate the application of the GDPR to the defined sector; (2) be submitted by a(n) (consortium of) association(s) or other bodies representing categories of data controllers or processors (the “code owner”); (3) clearly define the scope of the processing activities it covers, categories of data controllers or processors it governs and the territorial scope of the code; (4) identify the CompSA that will review the draft code; (5) include a mechanism to oversee the compliance of the code’s adherents to the provisions of the code; (6) identify a monitoring body, which is accredited by the CompSA, and mechanisms allowing compliance monitoring; and (7) contain information regarding the consultation carried out with the relevant stakeholders prior to adopting the code of conduct.
Criteria for Approving Codes of Conduct
Code owners must be able to demonstrate that their code contributes to the proper application of the GDPR, and in particular, that the code: (1) meets or addresses a particular need or data protection issues specific to the concerned sector or processing activity; (2) facilitates the application of the GDPR; (3) specifies the application of the GDPR by providing sufficiently clear and effective solutions to address particular data protection areas and issues in the specific sector to which the code applies; (4) provides suitable and effective safeguards to mitigate the risk to data processing and the rights and freedoms of individuals; and (5) provides effective mechanisms allowing appropriate monitoring of the rules (e.g., regular audits and reporting requirements, concrete sanctions and remedies in the case of a violation of the code) and identifies a monitoring body.
Submission, Admissibility and Approval Process
National Code. Upon submission of the draft code of conduct, the CompSA conducts the preliminary assessment. If the outcome of the preliminary assessment is positive, the CompSA further reviews its content and delivers an opinion, within a reasonable period of time, to either refuse the code of conduct or approve it. In the latter scenario, the CompSA must register and publish the code of conduct. In addition, the EDPB will make all approved codes publicly available.
Transnational Code. A transnational code relates to processing activities in more than one Member State. The draft code of conduct must be submitted to the CompSA that acts as the principal authority for the approval of the code. Upon submission, the CompSA proceeds with the preliminary assessment. The CompSA also notifies the concerned supervisory authorities (“SAs”) that a code was submitted and cooperates with them. If the outcome of the preliminary assessment is positive, the CompSA notifies the code owners and the concerned SAs of its decision and seeks (maximum two) co-reviewers. Co-reviewers assist the CompSA in assessing the draft code. The co-reviewers’ comments are taken into consideration by the CompSA when carrying out its assessment. The CompSA makes the final determination as to whether the draft code should be submitted to the EDPB. If the CompSA’s decision is to approve the draft code, the CompSA circulates the draft approval to all concerned SAs. Concerned SAs have 30 days to respond. The opinion of the EDPB is communicated to the CompSA and, on that basis, the CompSA assesses whether it will maintain or amend its draft decision. The EU Commission may decide via an implementing act that an approved transnational code of conduct will be valid within the EU.
Engagement
In the Guidelines, the EDPB emphasizes that the assessment process must not be used to further consult on the provisions of the draft code with the CompSA. Code owners should liaise and cooperate with the SAs before submitting a code for approval. Code owners must also be available to answer questions in respect of their draft code within a reasonable period of time. To that end, a single point of contact should be provided to the CompSA.
Monitoring and Enforcement of the Code of Conduct
To be approved, a code of conduct must identify a monitoring body accredited by the CompSA as being able to monitor the code. CompSAs will submit their requirements for accreditation to the EDPB.
To be accredited, a monitoring body must, among other qualifications: (1) be independent; (2) exercise its tasks free of any conflict of interests; (3) have sufficient expertise to carry out its role in an effective manner; (4) have appropriate governance structures and procedures allowing it to assess the eligibility of controllers and processors to apply the code, monitor compliance with the code’s provisions and review the code’s operation; (5) establish effective complaints handling procedures; (6) communicate efficiently with the CompSA and other relevant SAs; and (7) adopt appropriate review mechanisms. The CompSA can revoke the accreditation at any time. Such revocation may suspend or permanently withdraw the code of conduct.
The Guidelines also include three Appendices regarding: (1) the distinction between national and transnational codes; (2) the criteria to take into account when choosing a CompSA; and (3) a checklist for submission of a draft code to the CompSA.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code