Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR
SECTION 4 WHAT ARE THE BENEFITS OF CODES?
11. Codes represent an opportunity to establish a set of rules which contribute to the proper application of the GDPR in a practical, transparent and potentially cost effective manner that takes on board the nuances for a particular sector and/or its processing activities. In this regard codes can be drawn up for controllers and processors taking account of the specific characteristics of processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. They have the potential to be an especially important and beneficial tool for both SMEs and micro enterprise businesses by providing a mechanism which allows them to achieve data protection compliance in a more cost effective way.
For example, micro enterprises involved in similar health research activities could come together via their relevant associations and collectively develop a code in respect of their collection and processing of health data rather than attempting to carry out such comprehensive data protection analysis on their own. Codes will also benefit supervisory authorities by allowing them to gain a better understanding and insight of the data processing activities of a specific profession, industry or other sector.
12. Codes can help controllers and processors to comply with the GDPR by governing areas such as fair and transparent processing, legitimate interests, security and data protection by design and default measures and controller obligations. Codes are accessible to all processing sectors and can be drafted in as narrow or as wide-ranging a manner as is be fitting that particular sector, provided that the code contributes to the proper and effective application of the GDPR.
For example, approval could be sought for a set of rules in respect of how a specific charitable sector would ensure its processing arrangements were fair and transparent. Alternatively, the specific charitable sector could decide to draft a code, which incorporates and properly applies a multitude of different provisions under the GDPR to cover all their processing activities, from the lawful basis for the collectionof personal data to the notification of personal data breaches.
13. Codes can provide a degree of co-regulation and they could decrease the level of reliance that controllers and processors may sometimes place upon data protection supervisory authorities to provide more granular guidance for their specific processing activities.
14. Codes can provide a degree of autonomy and control for controllers and processors to formulateand agree best practice rules for their given sectors. They can provide an opportunity to consolidate best practice processing operations in specific fields. They can also become a vital resource that businesses can rely upon to address critical issues in their processing procedures and to achieve better data protection compliance.
15. Codes can provide much needed confidence and legal certainty by providing practical solutions to problems identified by particular sectors in relation to common processing activities. They encourage the development of a collective and consistent approach to the data processing needsof a particular sector.
16. Codes can be an effective tool to earn the trust and confidence of data subjects. They can address a variety of issues, many of which may arise from concerns of the general public or even perceived concerns from within the sector itself, and as such constitute a tool for enhancing transparency towards individuals regarding the processing of their personal data.
For example, in the context of processing health data for research purposes, concerns over the appropriate measures to be adopted in order to promote compliance with the rules applying to the processing of sensitive health information could be allayed by the existence of an approved and detailed code. Such a code could outline in a fair and transparent manner the following:
the relevant safeguards to be applied regarding the information to be provided todata subjects;
relevant safeguards to be applied in respect of the data collected from third parties;
communication or dissemination of the data;
the criteria tobe implemented to ensure respect for the principle of data minimisation;
the specific security measures;
appropriate retention schedules; and
the mechanisms to manage the data as a result of the exercise of data subjects’ rights (As per Articles 32 and 89 of the GDPR)