Privacy & Information Security Law Blog

On February 22, 2022, the European Data Protection Board (the “EDPB”) adopted its final Guidelines 04/2021 on Codes of Conduct as tools for transfers (the “Guidelines”), following a public consultation that took place in 2021.

Articles 46 of the EU General Data Protection Regulation ( the “GDPR”) provides that data controllers and processors must put in place appropriate safeguards when transferring personal data to third countries, including codes of conduct. Adherence to codes of conduct intended for transfers requires data controllers and processors to make binding and enforceable commitments to apply appropriate safeguards required by the relevant code with respect to personal data transferred to a third country.

The Guidelines aim to clarify rules on the use of codes of conduct as transfer mechanisms, and in particular provide guidance regarding the roles of the different stakeholders involved in the development and adoption of codes of conduct as tools for transfers. The Guidelines complement the EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679.

Codes of conduct intended for transfers are designed to be used by importing data controllers and processors who are not subject to the GDPR but receive data that is subject to the GDPR. A code of conduct adhered to by an importer in a third country can be relied on by exporting data controllers and processors that are subject to the GDPR in order to comply with their transfer obligations without the need for such controllers and processors themselves to adhere to the code of conduct, provided that a commitment to comply with the code’s obligations when processing the transferred data is included in a binding instrument.

The Guidelines provide a checklist of elements to be covered by transfer codes of conduct, which takes into account the safeguards provided by existing transfer tools (such as the European Commission Standard Contractual Clauses) and the Court of Justice of the European Union ruling in the Schrems II case. Per the Guidelines, codes of conduct intended for transfers must address (1) the GDPR essential principles, rights, and obligations for data controllers and processors, and (2) guarantees specific to the context of the transfers (such as with respect to onward transfers or conflicts of laws in the receiving third countries). With respect to obligations deriving from the Schrems II ruling, the Guidelines provide that a code of conduct intended for transfers must include a warranty that, at the time of adhering to the code, the third-country importing data controller or processor has no reasons to believe that the laws applicable to the processing of personal data in the receiving third country prevent the importing data controller or processor from fulfilling its obligations under the code, as well an obligation to implement supplementary measures to ensure a level of protection for personal data that is adequate in relation to that in the European Economic Area (“EEA”), where necessary.

In order to be adopted, a transfer code of conduct must first be approved by a competent supervisory authority in the EEA. The code’s general validity in the EU must then be recognized by the European Commission by way of an implementing act. Codes that are likely to be used by data controllers or processors from more than one EU Member State would qualify as “transnational codes” and be subject to a specific approval process led by the competent supervisory authority acting as the principal authority for the approval of the code and involving other concerned supervisory authorities.

Read the EDPB Guidelines.