Codes of Conduct and Monitoring Bodies under the GDPR
Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR
SECTION 3 WHAT ARE CODES?
7. GDPR codes are voluntary accountability tools which set out specific data protection rules for categories of controllers and processors. They can be a useful and effective accountability tool, providing a detailed description of what is the most appropriate, legal and ethical set of behaviours of a sector. From a data protection viewpoint, codes can therefore operate as a rulebook for controllers and processors who design and implement GDPR compliant data processing activities which give operational meaning to the principles of data protection set out in European and National law.
8. Trade associations or bodies representing a sector can create codes to help their sector comply with the GDPR in an efficient and potentially cost effective way. As provided by the non-exhaustive list contained in Article 40( 2) of the GDPR, codes of conduct may notably cover topics such as:
-
fair and transparent processing;
-
legitimate interests pursued by controllers in specific contexts;
-
the collection of personal data; the pseudonymisation of personal data;
-
the information provided to individuals and the exerciseof individuals’ rights;
-
the information provided to and the protection of children (including mechanisms for obtaining parental consent);
-
technical and organisational measures, including data protection by design and by default and security measures;
-
breach notification;
-
data transfers outside the EU; or
-
dispute resolution procedures.