GDPR codes must meet admissibility requirements

Out-Law News | 21 Feb 2019 | 4:43 pm | 2 min. read

Trade bodies considering drawing up new codes of conduct to govern data privacy practices in their sector will be required to meet admissibility requirements before those codes will be assessed for their compliance with the General Data Protection Regulation (GDPR), a data protection watchdog has said.

Articles 40 and 41 of the GDPR provide for the endorsement of industry-drafted codes of conduct that are "intended to contribute to the proper application" of the Regulation. The EDPB must approve the code where it relates to processing in more than one EU member state; national data protection authorities can approve codes designed for use within their own jurisdiction only.

Earlier this week, the European Data Protection Board (EDPB) published draft new guidance on the development of GDPR codes and the activities of associated monitoring bodies.

The EDPB said GDPR codes of conduct could apply to specific data protection issues, including the collection of personal data, the pseudonymisation of personal data, data security, breach notification and data transfers. It explained, though, that data protection authorities will only give consideration to endorsing codes if the codes that are drafted are admissible.

According to the EDPB, each code must include "a clear and concise explanatory statement, which provides details as to the purpose of the code, the scope of the code and how it will facilitate the effective application of this Regulation".

In addition, to be admissible, the code will need a "defined scope" that sets out "clearly and precisely determines the processing operations (or characteristics of the processing) of personal data covered by it, as well as the categories of controllers or processors it governs".

Bodies behind the codes must also be able to demonstrate that they are "an effective representative body and that they are capable of understanding the needs of their members and clearly defining the processing activity or sector to which the code is intended to apply".

They will further have to evidence that they have had "an appropriate level of consultation" on the development of their code with "relevant stakeholders including data subjects, where feasible", and the draft codes will also have to include proposed mechanisms that provide for the monitoring of compliance with its provisions, the EDPB said.

The watchdog, which brings together representatives from national data protection authorities across the EU, also outlined criteria for it and the other DPAs to consider when determining whether to approve the codes.

According to the checklist, bodies behind the codes will need to demonstrate the need for their code.

The EDPB's draft guidance said: "A code must address data protection issues which arise for a particular sector or processing activity. Code authors should be able to explain and set out the problems the code seeks to address and substantiate how the solutions the code offers will be effective and beneficial not only for their members but also for data subjects."

Codes of conduct must not simply "re-state the GDPR", the EDPB said. They should instead "aim to codify how the GDPR shall apply in a specific, practical and precise manner" and "the agreed standards and rules will need to be unambiguous, concrete, attainable and enforceable (testable)", it said.

"Setting out distinct rules in the particular field is an acceptable method by which a code can add value," the EDPB said. "Using terminology that is unique and relevant to the industry and providing concrete case scenarios or specific examples of ‘best practice’ may help to meet this requirement."

The EDPB's draft guidance is open to consultation.