Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

Section 6.4  Provides sufficient safeguards

39. A code should also meet the requirements of Article 40 (5). Approval will only be forthcoming when it is determined that a draft code provides sufficient appropriate safeguards. Codes owners will need to appropriately satisfy a CompSA that their code contains suitable and effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals. It will be a matter for the code owners to provide clear evidence showing that their code will meet these requirements.

For example, in ‘high risk’ processing activities such as the large scale processing of children’s or health data, profiling or systematic monitoring, it would be expected that the code would contain more demanding requirements upon controllers and processors to reflect an adequate level of protection. Additionally, code owners may benefit from carrying out a more extensive consultation as per Recital 99 of the GDPR to underpin a code involving the processing of such high risk areas.