Approved codes of conduct
Codes of conduct and certification have been introduced to assist controllers and processors demonstrate compliance with the requirements of the GDPR.
Codes of conduct
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct to facilitate the effective application of the GDPR, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium size enterprises.
Codes can cover areas including:
- fair and transparent processing
- legitimate interests pursued by controllers in specific contexts
- the collection of data
- exercise of the rights of individuals
- measures to ensure security
- notification of data breaches
- collecting and protection information about children
- be approved by the supervisory authority
- include provisions to permit the mandatory monitoring of compliance by a designated body, without prejudice to the tasks and powers of the supervisory authority
The establishment of certification mechanisms, seals and marks will be encouraged by supervisory authorities and will be issued and renewed by an accredited certification body which has an appropriate level of expertise in data protection.
Certification shall be voluntary, via a transparent process, and for a maximum of period of 3 years (renewable under the same conditions).
All certification mechanisms, marks and seals will be made publicly available by the European Data Protection Board.
See: Articles 40 - 43 and Recitals 98 - 100 of the GDPR
Processors should also note Article 28(5) and Recitals 81 & 95