Codes of conduct
What are Codes of Conduct?
Codes of Conduct, under the GDPR, are voluntary sets of rules that assist members of that Code with data protection compliance and accountability in specific sectors or relating to particular processing operations.
Codes can help organisations to ensure they follow best practice and rules designed specifically for their sector or processing operations, thus enhancing compliance with data protection law. They are developed and managed by an association or other body (the ‘Code Owner’) which is representative of a sector (or category of data controllers or processors), with the expert and sectoral knowledge of how to enhance data protection in their area.
A GDPR ‘Code of Conduct’ is more than just a guidance or best practice document, and it must materially specify or enhance the application of data protection law to a certain sector or processing activity – not merely be a restatement of the GDPR. It will take time, consideration, and effort to develop, approve, and ensure the ongoing monitoring of a Code of Conduct, the details of which will be discussed in more detail below.
How are Codes of Conduct developed and approved?
Codes of Conduct should be a tool for Code Owners – such as trade, professional, representative, or non-for-profit bodies – to support compliance with data protection issues identified or specific to their sector or the types of processing their members engage in. Members will be able to sign up to an approved Code of Conduct to enhance and demonstrate their compliance with data protection legislation.
It is strongly advised that prospective Code Owners engage with the DPC informally and at early stage before submitting a draft Code, to ensure that the minimum requirements for the submission of a Code have been met and to increase the chances of a Code being successfully developed and approved.
After a period of informal engagement with the DPC, a Code Owner may formally submit a draft Code if they can demonstrate that:
- the Code meets a particular need;
- the Code facilitates and specifies the application of the GDPR;
- the processing and territorial scope of the Code has been clearly defined;
- they are an effective representative body;
- they understand the needs of their members;
- they have carried out sufficient consultation with relevant stakeholders; and
- the Code provides sufficient safeguards.
For all Codes other than those only applying to the public sector, the draft Code must also identify a Monitoring Body and contain effective mechanisms which enable that body to carry out its monitoring functions (as discussed further below).
Codes of Conduct can either be ‘national Codes’ (which cover processing activities in Ireland) or ‘transnational Codes’ (which cover processing activities in more than one Member State). For national Codes, the DPC will draft an opinion on the Code, outlining the basis for the decision to either approve or reject the draft Code. Code Owners may formally re-submit an updated draft Code at a later stage if they choose. For transnational Codes, once the DPC is satisfied that a Code can be considered for approval, it will then go to the European Data Protection Board (EDPB), made up of the data protection authorities of all Member States, for their review, who will jointly assess and decide on the approval of the transnational Code.
A draft or proposal for a Code of Conduct may be sent to the DPC via the following email address: <CodesOfConduct@dataprotection.ie>. Codes can only be accepted from associations or other bodies representing categories of controllers or processors.
What it the role of a monitoring body and how are they accredited?
Although the DPC remains ultimately responsible for the application and enforcement of the GDPR and data protection law more generally, the idea of Codes of Conduct is that they specify and enhance the application of the GDPR, and will therefore have a specified Monitoring Body to carry out this important function.
A ‘Monitoring Body’ refers to a body/committee or a number of bodies/committees (internal or external to the Code Owners) who carry out the monitoring function to ascertain and assure that the Code is complied with by the members, as per Article 41 GDPR. The identified Monitoring Body or Bodies must have the appropriate standing to meet the requirements of being fully accountable in their role. To this end, every Monitoring Body has to be accredited by the competent supervisory authority (in Ireland, the DPC) according to Article 41(1) GDPR.
In order to be accredited it must be demonstrated that the Monitoring Body meets certain requirements, as set out in Article 41 GDPR, in the EDPB guidance on this topic, and in the Irish National Accreditation Requirements for Monitoring Bodies. These accreditation requirements are a more details set of requirements which must be satisfied before the DPC will accredit a Monitoring Body. Currently, these requirements are under review by the EDPB. When they are finalised and published they will be made available online, along with further guidance on how to made a submission for accreditation.
Submissions or questions related to the accreditation of a Monitoring Body may be sent to the DPC via the following email address: <CodesOfConduct@dataprotection.ie>.
Where can I find more information on Codes of Conduct?
The EDPB (formerly the Article 29 Working Party) has drafted detailed guidelines in relation to the rule concerning both Codes of Conduct and Monitoring Bodies, under Articles 40 and 41 GDPR, that provide further clarity to the process: