Data Protection for Organisations
Code of Conduct
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
Where the code of conduct concerned is submitted by national associations and other bodies and does not relate to processing activities in several Member States, this Office shall be the cometent authority to provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards. This Office shall register and publish such code.
In those cases where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation.
Click here to access the guidelines adopted by the EDPB on codes of conduct.​​
Accreditation Requirements for Code of conduct monitoring bodies
In order for a code (national or transnational) to be approved, a monitoring body (or bodies), must be identified as part of the code and accredited by the competent supervisory authority as being capable of effectively monitoring the code. The accreditation is conducted by the competent supervisory authority based on the accreditation requirements issued by the same authority after having gone through the consistency mechanism.
The IDPC submitted its draft accreditation requirements to the EDPB through the consistency mechanism. As a result of the process, the EDPB issued an opinion which the IDPC accepted to follow. The IDPC therefore implemented all recommendations and encouragements included in the opinion by amending its draft requirements accordingly.
The final version of the accreditation requirements for code of conduct monitoring body can be downloaded on the link provided below.
Click here to access the Accreditation Requirements for Code of conduct monitoring bodies