Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

Section 6.5  Provides mechanisms which will allow for effective oversight

40. As per Article 40(4) of the GDPR, a code requires the implementation of suitable mechanisms to ensure that those rules are appropriately monitored and that efficient and meaningful enforcement measures are put in place to ensure full compliance. A code specifically needs to identify and propose structures and procedures which provide for effective monitoring and enforcement of infringements. A draft code will also need to identify an appropriate body which has at its disposal mechanisms to enable that body to provide for the effective monitoring of compliance with the code. Mechanisms may include regular audit and reporting requirements, clear and transparent complaint handling and dispute resolution procedures, concrete sanctions and remedies in cases of violations of the code, as well as policies for reporting breaches of its provisions.

41. A draft code will be required to have a monitoring body where it involves processing carried outby non-public authorities and bodies. In essence, a code must not only consider the contents of rules applicable to that sector’s processing activity, but it must also implement monitoring mechanisms which will ensure the effective application of those rules. A draft code could successfully propose a number of different monitoring mechanisms where there are multiple monitoring bodies to carry out effective oversight. However, all proposed monitoring mechanisms as to how to give effect to adequate monitoring of a code will need to be clear, suitable, attainable, efficient and enforceable (testable). Code owners will need to set out the rationale and demonstrate why their proposals for monitoring are appropriate and operationally feasible.