Article 40
Codes of conduct

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 40 keyboard_arrow_down Hide the recitals of the Regulation related to article 40 keyboard_arrow_up

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(99) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

(167) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

There is no recital in the Directive related to article 40.

The GDPR

Article 40 reiterates Europe's desire to encourage the elaboration of codes to contribute to the application of the Regulation. These codes should take into account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises (paragraph 1).

These codes may be elaborated, modified or extended by organizations representing the categories of controllers and processors. They would be intended to clarify the terms of application of the Regulation provisions (paragraph 2), namely:

- the principle of fair and transparent processing (a);

- the legitimate interests pursued by controllers in specific contexts (b);

- the collection of personal data (c);

- the  anonymization  of personal data (d);

- the information provided to the public and to data subjects (e);

- the exercise of the rights of data subjects (f), etc.

As it follows from recital 98, these codes could in particular specify the duties imposed on controllers and processors to manage the risk which may expose the rights and freedoms of individuals.

These codes will be submitted to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards (paragraph 5).

Then, where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code (paragraph 6).

Before approving them, the supervisory authority shall submit them to the European Data Protection Board which shall provide an opinion on whether they comply with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards (paragraph 7). Where the opinion is positive, the European Board shall submit its opinion to the Commission (paragraph 8). The Commission shall then adopt implementing acts to confirm  that the codes of conducts as well as any modifications and extensions approved will have general validity in the territory of the Union. In this case, the Commission shall ensure appropriate publicity (paragraphs 9 and 10).

The European Data Protection Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means (paragraph 11).

Article 40 also provides in paragraph 3 that the codes of conduct approved by the national supervisory authority and having general validity in the territory of the Union could be applied to processing controllers and processors who are not subject to the Regulation in accordance with Article 3, in order to provide the appropriate safeguards in the context of transfers of personal data to a third country or an international organization, which must provide such appropriate safeguards and which has not been considered as providing a level of protection (Art. 46 (2), e)). These controllers or processors then assume a binding and enforceable commitment by using contractual instruments or otherwise, to apply these appropriate safeguards, including with regard to the rights of the data subjects.

Article 41 provides for a specific procedure for the monitoring of these codes. These codes must also contain the mechanisms by which the body responsible for follow-up to the mandatory control of compliance with the code by the processors and/or the controllers.

 Check this translation is correct (data collected in such a way that it cannot be linked back to an individual)

The Directive

Article 27 of the Directive encouraged the elaboration of sectoral codes of conduct with a view to contribute to the implementation of national provisions taken by the Member States. They were to provide an opportunity for the associations representing categories of controllers to submit these to the review of the national authorities. Moreover, the same opportunity was provided for drafts of Community codes to submit this time to the "29" Group who could then give publicity to the approved codes.

Most national laws did not contain any provisions in this regard.

Potential issues

The new regime of codes of conduct can contribute a lot to clarifying the application of the provisions of the Regulation to specific sectors and enterprises they cover. Their potential mandatory nature across the Union could also promote better alignment of regulations, which is certainly positive.

The problem will arise as a result of the fact that the initiative will come from the representative organizations themselves, which will often be the only ones to have the resources to elaborate such tools (except some large groups of undertakings or certain public institutions). The challenge for implementation will then be to provide an effective policy of encouragement and information to these organizations in order to convince them of the potential benefits for their members.

It should be noted that the adoption procedure is particularly heavy and depends on the efficiency and speed of the European Board and the national supervisory authorities.

Summary

European Union

European Union

European data protection baord (EDPB)

Guidelines on codes of conduct as tools for transfers - 4/2021 (7 July 2021)

The aim of these guidelines is to specify the application of Article 40-3 of the GDPR relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries in accordance with Article 46-2-e) of the GDPR. They also aim to provide practical guidance including on the content of such codes of conduct, their adoption process and the actors involved as well as the requirements to be met and guarantees to be provided by a code of conduct for transfers.

These guidelines should further act as a clear reference for all SAs, the Board and assist the Commission in evaluating codes in a consistent manner and to streamline the procedures involved in the assessment process. They should also provide greater transparency, ensuring that code owners who intend to seek approval for a code of conduct intended to be used as a tool for transfers (“code(s) intended for transfers” hereafter) are fully aware of the process and understand the formal requirements and the appropriate thresholds required for setting up such a code of conduct.

The present guidelines complement the EDPB Guidelines 1/2019 on codes of conduct and Monitoring Bodies under Regulation 2016/679 which establish the general framework for the adoption of codes of conduct. The considerations set out in Guidelines 1/2019 notably regarding the admissibility, submission and criteria for approval are thus also valid in the context of the preparation of codes intended for transfers.

Link

Guidelines on Codes of conduct and Monitoring Bodies - 1/2019 (4 June 2019)

The aim of these guidelines is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the GDPR.

They are intended to help clarify the procedures and the rules involved in the submission, approval and publication of codes at both a National and European level. They intend to set out the minimum criteria required by a Competent Supervisory Authority (“CompSA”) before accepting to carry out an in depth review and evaluation of a code. Further, they intend to set out the factors relating to the content to be taken into account when evaluating whether a particular code provides and contributes to the proper and effective application of the GDPR. Finally, they intend to set out the requirements for the effective monitoring of compliance with a code. These guidelines should also act as a clear framework for all CompSAs, the Board and the Commission to evaluate codes in a consistent manner and to streamline the procedures involved in the assessment process.

This framework should also provide greater transparency, ensuring that code owners who intend to seek approval for a code are fully conversant with the process and understand the formal requirements and the appropriate thresholds required for approval. Guidance on codes of conduct as a tool for transfers of data as per Article 40(3) of the GDPR will be considered in separate guidelines to be issued by the EDPB. All codes previously approved will need to be reviewed and re-evaluated in line with the requirements of the GDPR and then resubmitted for approval as per the requirements of Articles 40 and 41 and as per the procedures outlined in this document.

Lien

Retour au sommaire
Retour au sommaire
Regulation
1e 2e

Art. 40

1.   The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2.   Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

a) fair and transparent processing;

b) the legitimate interests pursued by controllers in specific contexts;

c) the collection of personal data;

d) the pseudonymisation of personal data;

e) the information provided to the public and to data subjects;

f) the exercise of the rights of data subjects;

g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

j) the transfer of personal data to third countries or international organisations; or

k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3.   In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4.   A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

5.   Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6.   Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7.   Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

8.   Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9.   The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

10.   The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11.   The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

1st proposal close

Art. 38

1.           The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:

(a)     fair and transparent data processing;

(b)     the collection of data;

(c)     the information of the public and of data subjects;

(d)     requests of data subjects in exercise of their rights;

(e)     information and protection of children;

(f)      transfer of data to third countries or international organisations;

(g)     mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it;

(h)     out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75.

2.           Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.

3.           Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission.

4.           The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5.           The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.

 

2nd proposal close

Art. 38

1. The Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors and the specific needs of micro, small and medium-sized enterprises.

1a. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of provisions of this Regulation, such as:

(a) fair and transparent data processing;

(aa) the legitimate interests pursued by controllers in specific contexts;

(b) the collection of data;

(bb) the pseudonymisation of personal data ;

(c) the information of the public and of data subjects;

(d) the exercise of the rights of data subjects ;

(e) information and protection of children and the way to collect the parent’s and guardian’s consent ;

(ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30;

(ef) notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects;

(f) (...).

1ab. In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contr actual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.

1b. Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2. Associations and other bodies referred to in paragraph 1a which intend to prepare a code of conduct, or to amend or extend an existing code, shall submit the draft code to the supervisory authority which is competent pursuant to Article 51. The supervisory authority shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards.

2a. Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof.

2b. Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.

3. Where the opinion referred to in paragraph 2b confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation, or, in the situation referred to in paragraph 1ab, provides appropriate safeguards ,the European Data Protection Board shall submit its opinion to the Commission.

4. The Commission may adopt implementing acts for deciding that the approved codes of conduct and amendments or extensions to existing approved codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 4.

5a. The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.

Directive close

Art. 27

1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.

2. Member States shall make provision for trade associations and other bodies representing other categories of controllers which have drawn up draft national codes or which have the intention of amending or extending existing national codes to be able to submit them to the opinion of the national authority.

Member States shall make provision for this authority to ascertain, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives.

3. Draft Community codes, and amendments or extensions to existing Community codes, may be submitted to the Working Party referred to in Article 29. This Working Party shall determine, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives. The Commission may ensure appropriate publicity for the codes which have been approved by the Working Party.

Section 38a
Code of conduct to promote the implementation of data protection provisions

(1) Professional associations and other associations which represent specific groups of controllers may submit draft rules of conduct to promote the implementation of data protection provisions to the competent supervisory authority.

(2) The supervisory authority shall examine the compatibilty of the submitted drafts with the applicable law on data protection.

close