Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

SECTION 3  WHAT ARE CODES?

7. GDPR codes are voluntary accountability tools which set out specific data protection rules for categories of controllers and processors. They can be a useful and effective accountability tool, providing a detailed description of what is the most appropriate, legal and ethical set of behaviours of a sector. From a data protection viewpoint, codes can therefore operate as a rulebook for controllers and processors who design and implement GDPR compliant data processing activities which give operational meaning to the principles of data protection set out in European and National law.

8. Trade associations or bodies representing a sector can create codes to help their sector comply with the GDPR in an efficient and potentially cost effective way. As provided by the non-exhaustive list contained in Article 40( 2) of the GDPR, codes of conduct may notably cover topics such as:

• fair and transparent processing;

• legitimate interests pursued by controllers in specific contexts;

• the collection of personal data; the pseudonymisation of personal data;

• the information provided to individuals and the exerciseof individuals’ rights;

• the information provided to and the protection of children (including mechanisms for obtaining parental consent);

• technical and organisational measures, including data protection by design and by default and security measures;

• breach notification;

• data transfers outside the EU; or

• dispute resolution procedures.

9. The GDPR in repealing the Data Protection Directive (95/46/EC) provides more specific and detailed provisions around codes, the requirements which need to be met and the procedures involved in attaining approval, as well as their registration, publication and promotion once approved. Those provisions, in conjunction with these guidelines, will help encourage code owners to have a direct input into the establishment of data protection standards and rules for their processing sectors.

10. It is important to note that codes are one of a number of voluntary tools that can be used from a suite of data protection accountability tools which the GDPR offers, such as Data Protection Impact Assessments (DPIAs) and Certification. They are a mechanism which can be used to assist organisations in demonstrating their compliance with the GDPR.