Codes of conduct and certification

Codes of conduct and certification

Codes of conduct

These codes are not the same thing as the codes of conduct and Professional Practices encouraged by the Italian Personal Data Protection Code in force before the GDPR. Those codes were intended for specific categories of activities and for some sectors were not even proposed.

The GDPR introduces these codes of conduct which are innovative legal instruments. The GDPR encourages to draw up codes of conduct intended to contribute to the proper application of the GDPR, taking into account the specific features of the different sectors and the specific needs of micro, small and medium-sized enterprises. The GDPR provides that the codes of conduct proposed by associations and other bodies representing categories of controllers and processors shall include at least certain elements.

Before coming into force, the codes shall be approved: in the approval process, national supervisory authorities, the European Data Protection Board («EDPB») and the Commission are involved, depending on the cases (if applicable in one single Member State or in more than one). The same process shall be carried out if the codes of conduct are amended or extended. Once approved, they shall be made publicly available and the European Data Protection Board or the national supervisory authority, depending on the cases, shall keep a register.

Adherence to a code of conduct may be produced – by both controllers and processors – as an element to demonstrate compliance with the GDPR.

Certification

The GDPR encourages also the proposal of certification mechanisms and of data protection seals and marks to demonstrate compliance with the GDPR, taking into account the specific features of the different sectors and the specific needs of micro, small and medium-sized enterprises.

The certification is voluntary and does not reduce the responsibility of the controller and the processor for compliance with the GDPR. The certification shall be approved by certification bodies or by the national supervisory authority (depending on its territorial validity); it is issued to the controller and the processor and expires.

The approved certifications shall be made publicly available and collected in a special register.

Adherence to a certification mechanism may be produced – by both controllers and processors – as an element by which to demonstrate compliance with the GDPR.

To learn more, click here, read FAQs or contact me.