Codes of conduct

Codes of conduct as outlined in Articles 40 and 41 of the GDPR are sets of rules that assist different sectors in applying data protection standards to their specific processing activities. The purpose of a code of conduct is to develop a standard set of rules that will apply across several organisations, to ensure that there is a consistent approach in dealing with personal data. It provides a mechanism that gives clarity to all concerned as to how a potentially problematic area can be resolved while still complying with data protection legislation. A sector specific code could benefit many State and private sector agencies, interest groups, representative bodies and SMEs.

An approved code of conduct is one of the appropriate means for a data controller or processor to demonstrate compliance with the GDPR. Additionally, an approved code of conduct, once given legal effect by the European Commission, may be used as a safeguard to facilitate the transfer of personal data to a third country or an international organisation (on condition that enforceable data subject rights and effective legal remedies are also available) where an adequacy decision is not available.

A code of conduct may be submitted to the DPC via the following email address:

Codes will only be accepted from associations or other bodies representing categories of controllers or processors.

The EDPB (formerly the Article 29 Working Party) is drafting guidelines in relation to codes of conduct under Articles 40 and 41 that will provide further clarity to the process.