Codes of conduct and certification – learn more

 

 

Codes of conduct and certification

Codes of conduct

These codes are not the same thing as the Codes of conduct and Professional Practices encouraged by the Italian Personal Data Protection Code in force before the GDPR. Those codes were intended for specific categories of activities and most of them were not proposed or approved.

The GDPR introduces these codes of conduct which are innovative legal instruments. The GDPR encourages to draw up codes of conduct intended to contribute to the proper application of the GDPR, taking into account the specific features of the different sectors and the specific needs of micro, small and medium-sized enterprises.

Associations and other bodies representing categories of controllers and processors may prepare codes of conduct, amend and extend them, in order to specify the application of the GDPR, such as with regard to:

1. fair and transparent processing (obligations of information to the data subject and principles relating to processing)

2. the legitimate interests pursued by controllers in specific contexts (legal basis for processing)

3. the collection of personal data (data minimisation, as required by the principle of data protection by design and by default and principles relating to processing)

4. the pseudonymisation of personal data (security of processing and principles relating to processing as well as the principle of data protection by design and by default)

5. information provided to the public and to data subjects (on these codes)

6. the exercise of the rights of data subjects

7. information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained

8. the measures and procedures provided to controllers and the measure intended to ensure security of processing

9. the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects

10. the transfer of personal data to third countries or international organisations

11. out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects to lodge a complaint and to bring proceedings before the courts to get an effective judicial remedy (right to compensation).

Before coming into force, the codes shall be approved: in the approval process, national supervisory authorities, the European Data Protection Board («EDPB») and the European Commission are involved, depending on the cases (if applicable in one single Member State or in more than one).

If the code applies inside the Member State, the supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with the GDPR and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards. If approved, the supervisory authority shall register and publish the code. Monitoring of approved codes of conduct may be carried out by organisms which are accredited by the supervisory authority.

If the code concerns processing activities in several member States, the supervisory authority shall submit it to the EDPB for an opinion: if the opinion confirms that the code complies with the GDPR, the opinion is submitted to the European Commission which may, by the way of implementing acts, decide that the code of conduct, amendment or extension have general validity within the European Union. In this case, the Commission shall make publicly available the approved codes which have general validity. The EDPB collects in a register all approved codes of conduct, amendments and extensions and makes them publicly available.

Adherence to a code of conduct may be produced – by both controllers and processors – as an element to demonstrate compliance with the GDPR. Adherence is certainly a quality mark of the controller and the processor.

It is essential to highlight that also controllers and processors which are not subject to the GDPR may adhere to a code of conduct and adherence can be a useful instrument to provide appropriate safeguards for data transfers to third countries or international organisations.

The EDPB adopted a final version of the guidelines on codes of conduct on the 4th June 2019. Following public consultation, points of clarification were included in the text. The aim of these guidelines is to provide practical guidance and interpretative assistance. The guidelines intend to help clarify the procedures and the rules involved in the submission, approval and publication of codes of conduct at both national and European level. These guidelines should further act as a clear framework for all competent supervisory authorities, the EDPB and the Commission to evaluate codes of conduct in a consistent manner and to streamline the procedures involved in the assessment process.

Certification

The GDPR encourages also the proposal of certification mechanisms and of data protection seals and marks to demonstrate compliance with the GDPR of processing operations carried out by controllers and processors, taking into account the specific features of the different sectors and the specific needs of micro, small and medium-sized enterprises.

The certification is voluntary and does not reduce the responsibility of the controller and the processor for compliance with the GDPR. The certification shall be approved by certifications bodies or by the competent supervisory authority.

The certification shall be issued to the controller and the processor for a maximum period of three years and may be renewed under the same conditions, provided that the relevant requirements are still met. The certification shall be withdrawn by the certification bodies (if it is valid for more than one Member State) or by the supervisory authority where the requirements of the certification are not or are no longer met.

Adherence to a certification may be produced – by both controllers and processors – as an element to demonstrate compliance with the GDPR. Adherence is certainly a quality mark of the controller and the processor.

The EDPB shall collect all approved certification mechanisms, seals and marks in a register and shall make them publicly available.

Controllers and processors which are not subject to the GDPR may adhere to a certification mechanism and adherence can be a useful instrument to provide appropriate safeguards for data transfers to third countries or international organisations.

 

To learn more, read FAQs or contact me.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Privacy Policy - Cookie Policy - Website terms & conditions - Website map


Tiziana Minella - Via Vittoria Colonna, 32 - 10155 Torino (TO - Italy) - VAT IT03152590018 - mob. +39 366.4761338 - + 39 338.6626635