Although sector-specific data protection codes of conduct were encouraged in Europe under the Data Protection Directive (Directive), we did not see much progress in this area until a few years ago. However, now that the General Data Protection Regulation (GDPR) has replaced the Directive, the benefits of codes of conduct, especially for small to medium businesses (SMEs), are undeniable:
Codes of conduct help businesses to achieve better data protection compliance in a cost effective way and earn customer trust and confidence. By adhering to a code of conduct, organisations may be able to demonstrate their compliance with various obligations under the GDPR, as required under Article 30.
The main improvement under the GDPR, however, is that third parties are now able to contractually agree to adhere to codes of conduct in order to satisfy the legal requirement to provide appropriate safeguards in relation to international transfers of personal data to third countries. The international data transfer feature under the GDPR in theory enables businesses to create a barrier free environment in which international data transfers are a matter of course.
Given these benefits, we expect to see a significant uptake trade associations, representative organizations, sectoral organisations and interest groups.
Helpfully, for those bodies now wishing to put in place a code of conduct, the GDPR is more prescriptive about data protection codes of conduct than the Directive was, suggesting specific areas for the codes to govern and emphasising that each code should be tailored to a code-owner’s specific sector and take into account enterprise size.
The GDPR is also clearer on the requirement of enforcement mechanisms, approvals of codes by DPAs, registration and publication of approved codes, and even promotion of such codes. Arguably of greatest significance is the fact that approval from the DPA or European Data Protection Board (EDPB) is now mandatory for all codes of conduct. All codes previously approved will also need to be reviewed and re-evaluated in line with the requirements of the GDPR and then resubmitted for approval. sufficient appropriate safeguards.
On 12 February 2019, the EDPB published, for public consultation, draft guidelines on codes of conduct under the GDPR intended to “support and facilitate “code owners” in drafting, amending or extending codes for their particular processing sector”. Code owners who intend to seek approval for a code should take note of these guidelines in order to ensure they understand the process, requirements and thresholds required for approval.
Specifically, the draft guidelines propose practical guidance and interpretative assistance by:
- clarifying the procedures and the rules involved in the submission, approval and publication of codes at both a National and European level;
- setting out the minimum criteria required by a Competent Supervisory Authority (i.e. a DPA) to carry out an in depth review and evaluation of a code;
- setting out the factors relating to the content to be taken into account when evaluating whether a particular code provides and contributes to the proper and effective application of the GDPR; and
- setting out the requirements for the effective monitoring of compliance with a code.
Notably absent from these guidelines, however, is guidance on drafting codes of conduct as a tool for transfers of data (as per Article 40(3) of the GDPR). We await separate guidance from the EDPB on this.