Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

SECTION 4  WHAT ARE THE BENEFITS OF CODES?

11. Codes represent an opportunity to establish a set of rules which contribute to the proper application of the GDPR in a practical, transparent and potentially cost effective manner that takes on board the nuances for a particular sector and/or its processing activities. In this regard codes can be drawn up for controllers and processors taking account of the specific characteristics of processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. They have the potential to be an especially important and beneficial tool for both SMEs and micro enterprise businesses by providing a mechanism which allows them to achieve data protection compliance in a more cost effective way.

For example, micro enterprises involved in similar health research activities could come together via their relevant associations and collectively develop a code in respect of their collection and processing of health data rather than attempting to carry out such comprehensive data protection analysis on their own. Codes will also benefit supervisory authorities by allowing them to gain a better understanding and insight of the data processing activities of a specific profession, industry or other sector.

12. Codes can help controllers and processors to comply with the GDPR by governing areas such as fair and transparent processing, legitimate interests, security and data protection by design and default measures and controller obligations. Codes are accessible to all processing sectors and can be drafted in as narrow or as wide-ranging a manner as is be fitting that particular sector, provided that the code contributes to the proper and effective application of the GDPR.

For example, approval could be sought for a set of rules in respect of how a specific charitable sector would ensure its processing arrangements were fair and transparent. Alternatively, the specific charitable sector could decide to draft a code, which incorporates and properly applies a multitude of different provisions under the GDPR to cover all their processing activities, from the lawful basis for the collectionof personal data to the notification of personal data breaches.

13. Codes can provide a degree of co-regulation and they could decrease the level of reliance that controllers and processors may sometimes place upon data protection supervisory authorities to provide more granular guidance for their specific processing activities.

14. Codes can provide a degree of autonomy and control for controllers and processors to formulateand agree best practice rules for their given sectors. They can provide an opportunity to consolidate best practice processing operations in specific fields. They can also become a vital resource that businesses can rely upon to address critical issues in their processing procedures and to achieve better data protection compliance.

15. Codes can provide much needed confidence and legal certainty by providing practical solutions to problems identified by particular sectors in relation to common processing activities. They encourage the development of a collective and consistent approach to the data processing needsof a particular sector.

16. Codes can be an effective tool to earn the trust and confidence of data subjects. They can address a variety of issues, many of which may arise from concerns of the general public or even perceived concerns from within the sector itself, and as such constitute a tool for enhancing transparency towards individuals regarding the processing of their personal data.

For example, in the context of processing health data for research purposes, concerns over the appropriate measures to be adopted in order to promote compliance with the rules applying to the processing of sensitive health information could be allayed by the existence of an approved and detailed code. Such a code could outline in a fair and transparent manner the following:

• the relevant safeguards to be applied regarding the information to be provided todata subjects;

• relevant safeguards to be applied in respect of the data collected from third parties;

• communication or dissemination of the data;

• the criteria tobe implemented to ensure respect for the principle of data minimisation;

• the specific security measures;

• appropriate retention schedules; and

• the mechanisms to manage the data as a result of the exercise of data subjects’ rights (As per Articles 32 and 89 of the GDPR)

17. Codes may also provide to be a significant and useful mechanism in the area of international transfers. New provisions in the GDPR allow third parties to agree to adhere to approved codes in order to satisfy legal requirements to provide appropriate safeguards in relation to international transfers of personal data to third countries. Additionally, approved codes of this nature may result in the promotion and cultivation of the level of protection which the GDPR provides to the wider international community while also permitting sustainable legally compliant international transfers of personal data. They may also serve as a mechanism which further develops and fosters data subject trust and confidence in the processing of data outside of the European Economic Area.

18. Approved codes have the potential to act as effective accountability tools for both processors and controllers. As outlined in Recital 77 and Article 24 (3) of the GDPR, adherence to an approved code of conduct is envisaged, amongst others, as an appropriate method for a data controller or processor to demonstrate compliance with regard to specific parts or principles of the Regulation or the Regulation as a whole. Adherence to an approved code of conduct will also be a factor taken into consideration by supervisory authorities when evaluating specific features of data processing such as the security aspects, assessing the impact of processing under a DPIA or when imposing an administrative fine. In case of a breach of one of the provisions of the Regulation, adherence to an approved code of conduct might be indicative of how comprehensive the need is to intervene with an effective, proportionate, dissuasive administrative fine or other corrective measure from the supervisory authority.