Approved codes of conduct

   Codes of conduct and certification have been introduced to assist controllers and processors demonstrate compliance with the requirements of the GDPR.

Codes of conduct

Associations and other bodies representing categories of controllers or processors may prepare codes of conduct to facilitate the effective application of the GDPR, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium size enterprises.

Codes can cover areas including:

Codes shall:


The establishment of certification mechanisms, seals and marks will be encouraged by supervisory authorities and will be issued and renewed by an accredited certification body which has an appropriate level of expertise in data protection. 

Certification shall be voluntary, via a transparent process, and for a maximum of period of 3 years (renewable under the same conditions).

All certification mechanisms, marks and seals will be made publicly available by the European Data Protection Board.


See: Articles 40 - 43 and Recitals 98 - 100 of the GDPR

Processors should also note Article 28(5) and Recitals 81 & 95