GDPR approved codes of conduct: how the GDPR has changed the role of codes of conduct in EU privacy and data protection and what you need to know about the benefits of codes of conduct and adhering to them (and the consequences of deciding to adhere but not really doing it).
GDPR compliance is first and foremost a matter of being compliant with the GDPR itself but also a matter of being able to demonstrate compliance or, if you are not GDPR compliant in time, at least demonstrating you did all you could and have an actionable plan to be GDPR compliant, although the latter is not what the GDPR text says of course.
As far as the GDPR text concerns you need to be GDPR compliant by May 25th, 2017. There are ample ways to demonstrate General Data Protection Regulation compliance. A look at one that is a bit less known that the most obvious ones: codes of conduct.
Among the better known ways to demonstrate compliance are the fact that you are able to meet fundamental data subject rights or have taken the proper technical and organizational measures as GDPR Recital 78 mentions, referring to internal policies (which also encompasses low-hanging fruit such as GDPR awareness training) and measures you have taken to meet those GDPR principles of data protection by design and by default (which has the necessary impact on how you organize your information management for GDPR compliance and of course on security policies and approaches).
Approved GDPR codes of conduct: explicitly recognized as demonstrators of compliance
GDPR codes of conduct are explicitly covered as ways to demonstrate GDPR compliance but what are they and why do they matter?
Essentially, codes of conduct are ‘promoted’ by the GDPR as ways to not just demonstrate GDPR compliance but also as a token to any stakeholder that your organization is aware of what it needs to do in order to conduct lawful processing of personal data. Codes of conduct are always a good idea but there are more useful in specific circumstances.
Codes of conduct were already present in the predecessor of the GDPR, however they’ve become more important and have their own dedicated GDPR Articles in which they are clearly recognized, along with other methods such as certification, as demonstrators of compliance.
GDPR Recital 77 sums up several guideline methods on the implementation of measures and demonstrators of compliance, both by the data controller and the processor, including approved codes of conduct.
As a reminder: controllers need to make sure there are enough guarantees from the data processors they work with, in the scope of GDPR compliance and personal data protection. So, for processors an approved code of conduct is certainly also a way to say ‘look, here is yet another token of our being dedicated to the protection of data subject rights and our making sure we are OK to work with’. But more about that below.
The essence about approved GDPR codes of conduct is stipulated in GDPR Article 40 and GDPR Article 41, both part of the GDPR’s big Chapter IV, controllers and processors, which also covers data protection by design and by default, the roles of controllers and processors, security of personal data, the data protection impact assessment, prior consultation, the data protection officer and, on top of codes of conduct, certifications in Section 5.
Approved codes of conduct under GDPR: from encouragement to tailored initiatives
GDPR Article 40 first of all encourages the drawing up of codes of conduct which need to contribute to the proper application of the GDPR.
To show that it’s serious, this encouragement is not just done by the GDPR text and the European Commission (EC). Also member states, supervisory authorities and the European Data Protection Board (EDPB) encourage it. So, that’s pretty much everyone involved in the application and enforcement and guidelines regarding GDPR.
Secondly, those codes of conduct ideally should be tailored, at the very least taking into account the typical processing activities and features across various processing sectors and the needs of enterprises with less than 250 employees.
The fact that all these mentioned instances encourage codes of conduct doesn’t mean that they will create them (all) of course. Some supervisory authorities tend to be more active than others, depending on member state, for instance. That also goes for guidelines and for the codes of conduct.
What the GDPR, however, does is also encouraging associations and other bodies who represent categories of controllers or processors to either draft codes of conduct for the organizations they represent themselves or to amend existing codes. For the online industry that includes, for example, associations such as the IAB. For other, industries, it can be others (another example below).
While representative bodies of controllers and processors in similar industries and/or types of data processing can draft such codes of conduct they are advised to include a few things in them as we’ll see.
Moreover, you probably noticed the word ‘approved’ in approved codes of conduct so it isn’t as if all these private sector bodies can just do what they want. That is explained in GDPR Recital 99 where it is advised to, quote “consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations”.
Once a code of conduct is in draft it still needs to be approved by the supervisory authority which is competent in line with Article 55, and looks, among others, if it has sufficient appropriate safeguards and can approve the draft code (or amendment or extension regarding one). If the code of conduct spans across several member states as is the case with our example of cloud infrastructure service providers below, the EDPB also needs to comment and after that the Commission needs to check.
What must be in an (approved) code of conduct under the GDPR?
If that sounds like too much work: it is certainly worth the while and not just for the concerned bodies and associations, the demonstration of compliance for those who adhere to the code of conduct, the concerned controllers and processors in those bodies and associations and so forth. So, do check the opportunity and as a processor or controller the potential relevant approved codes of conduct.
All approved codes of conduct should get the proper attention from the EC (in Legalese, paragraph 10 of our Article 40: ‘The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9’) and be made publicly available. The latter is the job of the EDPB. By way of a sector-related example of a code of conduct, here is one that has been made for cloud infrastructure services providers (PDF opens) by a body of such providers, known as CISPE. It makes things more tangible.
That brings us back to what such a code of conduct should contain as stipulated in the mentioned GDPR Article 40.
GDPR codes of conduct should contain specifications regarding the application of the GDPR, among others (the GDPR leaves room for more), concerning:
- The principles of fair and transparent processing.
- The legitimate interests pursued by the concerned controllers in specific contexts.
- The collection of the personal data of concerned data subjects.
- The (use of) pseudonymization.
- The information that is provided to the public and to data subjects.
- The exercise of data subject rights.
- The information regarding the special rules that apply for children under the GDPR.
- The measures and procedures with regards to the responsibility of the controller (Article 24) and the principles of data protection by design and by default (Article 25), as well as the security of processing (GDPR Article 32).
- The notification of personal data breaches, both to supervisory authorities and to data subjects.
- The transfer of personal data to third countries or international organizations.
- The various mechanisms for dispute resolution procedures.
Article 40 further contains all the earlier mentioned stipulations regarding approval and so forth. GDPR Article 41, in turn, tackles the monitoring of approved GDPR codes of conduct. More about that below as it does matter.
Benefits of adhering to codes of conduct under the GDPR
However, let’s first go back to the why question of codes of conduct from the perspective of demonstrating compliance and the benefits of adhering to one.
We already mentioned a few earlier: it creates a way to demonstrate compliance to for both controllers and processors and also trust and a level of guarantee among various stakeholders (including controllers and processors amongst each other) that risks have been identified and addressed.
The fact that adhering to an approved code of conduct is a factor in demonstrating compliance isn’t just mentioned in GDPR Recital 77 where other ways of demonstrating compliance are summed up, but also in GDPR Article 32 which states that “adherence to an approved code of conduct as referred to in Article 40….may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article” (with that paragraph 1 covering the appropriate technical and organizational measures by controllers and processors to ensure a level of security appropriate to the risk).
The particularly interesting part for processors is of course in being able to work with controllers. This is even more important if we remember that, as mentioned on our article on data processors, one of the general obligations of processors is to assist the controller by appropriate technical and organizational measures and in ensuring GDPR compliance.
And what is one of the ways to do so and to ‘demonstrate sufficient guarantees’ as is mentioned in GDPR Article 28 which covers everything just mentioned. Paragraph 5: “Adherence of a processor to an approved code of conduct….may be used as an element by which to demonstrate sufficient guarantees”.
Simply put: if controllers use approved codes of conducts and/or expect their processors to adhere to codes of conduct within their market or processing activity those processors who don’t adhere to the required codes of conduct might simply be less considered as potential business partners, plain and simple.
These aren’t certainly the only aspects regarding approved codes of conduct. The reference to the transfer of personal data to third countries or international organizations probably already made you see they play a role in cross-border transfers too, as becomes clear when reading GDPR Article 46 (transfers subject to appropriate safeguards) where in paragraph 2 the GDPR states that these appropriate safeguards, may be provided for, without requiring any specific authorisation from a supervisory authority, by, among others ‘an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights’.
And, let’s not forget it: there is also a brand aspect. Adhering to a code of conduct is about brand values and a promise towards partners and customers as well.
Duties – and risks – of adhering to codes of conduct under the GDPR
The bad news, depending on how you see things: adhering to a code of conduct does come with its obligations of course, how else could it be?
That’s where the previously mentioned Article 41 comes in. An accredited body that monitors compliance with an approved code of conduct does establish procedures and structures to handle complaints regarding infringements of the code itself or the way it has been implemented. And infringements can mean suspension or exclusion (bye bye token of compliance and reliability).
Last but not least the degree in which a controller or processor adheres to “its” code of conduct does play a role when gauging potential administrative fines as you can read in GDPR Article 83 (general conditions for imposing administrative fines) where we again read that among the decisions on imposing an administrative fine and amounts regarding one, is ‘adherence to approved codes of conduct pursuant to Article 40’ and where we also see that infringements regarding the obligations of the monitoring body pursuant to our just mentioned Article 41 can go up to the ‘lower’ of the two maximum fine levels (again: maximum!!!!) of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
To conclude: adhering to approved GDPR codes of conduct offers many benefits and in several circumstances it might even become a necessity for processors who want to work with controllers that are serious about compliance (and protect themselves as much as they can in the liability scope).
However, while adhering to codes of conduct makes you a more trusted party, helps you demonstrate GDPR compliance and makes cross-border situations easier, you will be monitored to see if you really adhere so it’s not a decision to take lightly.
Top image: Shutterstock – Copyright: TypoArt BS – Vector images illustration – Copyright: TK 1980 – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.