At a glance

  • The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.
  • The specific needs of micro, small and medium sized enterprises must be taken into account.
  • Signing up to a code of conduct or certification scheme is not obligatory. But if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply.
  • Adhering to codes of conduct and certification schemes brings a number of benefits over and above demonstrating that you comply. It can:
    • improve transparency and accountability - enabling individuals to distinguish the organisations that meet the requirements of the law and they can trust with their personal data.
    • provide mitigation against enforcement action; and
    • improve standards by establishing best practice.
  • When contracting work to third parties, including processors, you may wish to consider whether they have signed up to codes of conduct or certification mechanisms.

In brief

Who is responsible for drawing up codes of conduct?

  • Governments and regulators can encourage the drawing up of codes of conduct.
  • Codes of conduct may be created by trade associations or representative bodies.
  • Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99).
  • Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB).
  • Existing codes can be amended or extended to comply with the requirements under the GDPR.

What will codes of conduct address?

Codes of conduct should help you comply with the law, and may cover topics such as:

  • fair and transparent processing;
  • legitimate interests pursued by controllers in specific contexts;
  • the collection of personal data;
  • the pseudonymisation of personal data;
  • the information provided to individuals and the exercise of individuals’ rights;
  • the information provided to and the protection of children (including mechanisms for obtaining parental consent);
  • technical and organisational measures, including data protection by design and by default and security measures;
  • breach notification;
  • data transfers outside the EU; or
  • dispute resolution procedures.

What are the practical implications?

If you sign up to a code of conduct, you will be subject to mandatory monitoring by a body accredited by the supervisory authority.

If you infringe the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed. You also risk being subject to a fine of up to 10 million Euros or 2 per cent of your global turnover.

Adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.

Who is responsible for certification mechanisms?

Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation.

Certification will be issued by supervisory authorities or accredited certification bodies.

What is the purpose of a certification mechanism?

A certification mechanism is a way of you demonstrating that you comply, in particular, showing that you are implementing technical and organisational measures.

A certification mechanism may also be established to demonstrate the existence of appropriate safeguards related to the adequacy of data transfers.

They are intended to allow individuals to quickly assess the level of data protection of a particular product or service.

What are the practical implications?

Certification does not reduce your data protection responsibilities.

You must provide all the necessary information and access to your processing activities to the certification body to enable it to conduct the certification procedure.

Any certification will be valid for a maximum of three years. It can be withdrawn if you no longer meet the requirements of the certification, and the supervisory authority will be notified.

If you fail to adhere to the standards of the certification scheme, you risk being subject to an administrative fine of up to 10 million Euros or 2 per cent of your global turnover.

Article 29 Working Party

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party now expects that guidelines on certification will be adopted in early 2018.

The Article 29 Working Party has adopted guidelines on imposing administrative fines.