Article 40
Codes of conduct

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 40 keyboard_arrow_down Hide the recitals of the Regulation related to article 40 keyboard_arrow_up

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(99) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

(167) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

There is no recital in the Directive related to article 40.

The GDPR

[endif]-->

Article 40 reiterates Europe's desire to encourage the elaboration of codes to contribute to the application of the Regulation. These codes should take into account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises (paragraph 1).

These codes may be elaborated, modified or extended by organizations representing the categories of controllers and processors. They would be intended to clarify the terms of application of the Regulation provisions (paragraph 2), namely:

- the principle of fair and transparent processing (a);

- the legitimate interests pursued by controllers in specific contexts (b);

- the collection of personal data (c);

- the  anonymization  of personal data (d);

- the information provided to the public and to data subjects (e);

- the exercise of the rights of data subjects (f), etc.

As it follows from recital 98, these codes could in particular specify the duties imposed on controllers and processors to manage the risk which may expose the rights and freedoms of individuals.

These codes will be submitted to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards (paragraph 5).

Then, where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code (paragraph 6).

Before approving them, the supervisory authority shall submit them to the European Data Protection Board which shall provide an opinion on whether they comply with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards (paragraph 7). Where the opinion is positive, the European Board shall submit its opinion to the Commission (paragraph 8). The Commission shall then adopt implementing acts to confirm  that the codes of conducts as well as any modifications and extensions approved will have general validity in the territory of the Union. In this case, the Commission shall ensure appropriate publicity (paragraphs 9 and 10).

The European Data Protection Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means (paragraph 11).

Article 40 also provides in paragraph 3 that the codes of conduct approved by the national supervisory authority and having general validity in the territory of the Union could be applied to processing controllers and processors who are not subject to the Regulation in accordance with Article 3, in order to provide the appropriate safeguards in the context of transfers of personal data to a third country or an international organization, which must provide such appropriate safeguards and which has not been considered as providing a level of protection (Art. 46 (2), e)). These controllers or processors then assume a binding and enforceable commitment by using contractual instruments or otherwise, to apply these appropriate safeguards, including with regard to the rights of the data subjects.

Article 41 provides for a specific procedure for the monitoring of these codes. These codes must also contain the mechanisms by which the body responsible for follow-up to the mandatory control of compliance with the code by the processors and/or the controllers.

 Check this translation is correct (data collected in such a way that it cannot be linked back to an individual)

The Directive

Article 27 of the Directive encouraged the elaboration of sectoral codes of conduct with a view to contribute to the implementation of national provisions taken by the Member States. They were to provide an opportunity for the associations representing categories of controllers to submit these to the review of the national authorities. Moreover, the same opportunity was provided for drafts of Community codes to submit this time to the "29" Group who could then give publicity to the approved codes.

Most national laws did not contain any provisions in this regard.

Potential issues

The new regime of codes of conduct can contribute a lot to clarifying the application of the provisions of the Regulation to specific sectors and enterprises they cover. Their potential mandatory nature across the Union could also promote better alignment of regulations, which is certainly positive.

The problem will arise as a result of the fact that the initiative will come from the representative organizations themselves, which will often be the only ones to have the resources to elaborate such tools (except some large groups of undertakings or certain public institutions). The challenge for implementation will then be to provide an effective policy of encouragement and information to these organizations in order to convince them of the potential benefits for their members.

It should be noted that the adoption procedure is particularly heavy and depends on the efficiency and speed of the European Board and the national supervisory authorities.

Regulation
1e 2e

Art. 40

1.   The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2.   Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

a) fair and transparent processing;

b) the legitimate interests pursued by controllers in specific contexts;

c) the collection of personal data;

d) the pseudonymisation of personal data;

e) the information provided to the public and to data subjects;

f) the exercise of the rights of data subjects;

g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

j) the transfer of personal data to third countries or international organisations; or

k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3.   In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4.   A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

5.   Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6.   Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7.   Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

8.   Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9.   The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

10.   The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11.   The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

1st proposal close

Art. 38

1.           The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:

(a)     fair and transparent data processing;

(b)     the collection of data;

(c)     the information of the public and of data subjects;

(d)     requests of data subjects in exercise of their rights;

(e)     information and protection of children;

(f)      transfer of data to third countries or international organisations;

(g)     mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it;

(h)     out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75.

2.           Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.

3.           Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission.

4.           The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5.           The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.

 

2nd proposal close

Art. 38

1. The Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors and the specific needs of micro, small and medium-sized enterprises.

1a. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of provisions of this Regulation, such as:

(a) fair and transparent data processing;

(aa) the legitimate interests pursued by controllers in specific contexts;

(b) the collection of data;

(bb) the pseudonymisation of personal data ;

(c) the information of the public and of data subjects;

(d) the exercise of the rights of data subjects ;

(e) information and protection of children and the way to collect the parent’s and guardian’s consent ;

(ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30;

(ef) notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects;

(f) (...).

1ab. In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contr actual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.

1b. Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2. Associations and other bodies referred to in paragraph 1a which intend to prepare a code of conduct, or to amend or extend an existing code, shall submit the draft code to the supervisory authority which is competent pursuant to Article 51. The supervisory authority shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards.

2a. Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof.

2b. Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.

3. Where the opinion referred to in paragraph 2b confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation, or, in the situation referred to in paragraph 1ab, provides appropriate safeguards ,the European Data Protection Board shall submit its opinion to the Commission.

4. The Commission may adopt implementing acts for deciding that the approved codes of conduct and amendments or extensions to existing approved codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 4.

5a. The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.

Directive close

Art. 27

1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.

2. Member States shall make provision for trade associations and other bodies representing other categories of controllers which have drawn up draft national codes or which have the intention of amending or extending existing national codes to be able to submit them to the opinion of the national authority.

Member States shall make provision for this authority to ascertain, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives.

3. Draft Community codes, and amendments or extensions to existing Community codes, may be submitted to the Working Party referred to in Article 29. This Working Party shall determine, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives. The Commission may ensure appropriate publicity for the codes which have been approved by the Working Party.

Art. 25 WBP

1. De organisatie of organisaties, die voornemens zijn een gedragscode vast te stellen, kunnen het College verzoeken te verklaren dat de daarin opgenomen regels, gelet op de bijzondere kenmerken van de sector of sectoren van de samenleving waarin deze organisaties werkzaam zijn, een juiste uitwerking vormen van deze wet of van andere wettelijke bepalingen betreffende de verwerking van persoonsgegevens. Indien een gedragscode voorziet in beslechting van geschillen over de naleving ervan, kan het College de verklaring slechts afgeven indien is voorzien in waarborgen met betrekking tot de onafhankelijkheid.

2. Het eerste lid is van overeenkomstige toepassing op wijzigingen of verlengingen van bestaande gedragscodes.

3. Het College neemt het verzoek slechts in behandeling, indien naar zijn oordeel de verzoeker of verzoekers voldoende representatief zijn en de betrokken sector of de sectoren in de code voldoende nauwkeurig zijn omschreven.

4. Een beslissing op een verzoek als bedoeld in het eerste lid, geldt als een besluit in de zin van de Algemene wet bestuursrecht. Op de voorbereiding ervan is afdeling 3.4 van die wet van toepassing.

5. De verklaring geldt voor de termijn waarvoor de gedragscode zal gaan gelden echter niet voor langer dan vijf jaar na het tijdstip waarop de verklaring is bekend gemaakt. Wordt de verklaring gevraagd voor een wijziging van een gedragscode waarvoor reeds eerder een verklaring is afgegeven, dan geldt deze voor de duur van de eerder afgegeven verklaring.

6. De verklaring wordt, tezamen met de gedragscode waarop zij betrekking heeft, door de zorg van het College in de Staatscourant geplaatst.

Art. 26 WBP

1. Bij algemene maatregel van bestuur kunnen voor een bepaalde sector nadere regels worden gesteld inzake de in de artikelen 6 tot en met 11 en 13 geregelde onderwerpen.

2. Het College geeft in zijn jaarverslag aan in hoeverre naar zijn oordeel toepassing van het eerste lid wenselijk is.

__________________________________________________________________________________________________

Section 25

1. Any organisation(s) that intend(s) to adopt a code of conduct may request the Authority to declare that the rules included in it correctly elaborate this Act or other laws relating to the processing of personal data, taking account of the specific features of the sector or sectors of society in which that/those organisation(s) operate(s). If a code of conduct provides for the resolution of disputes about compliance with it, the Authority may issue such a declaration only if safeguards about its independence have been provided.

2. Subsection 1 applies equally to amendments or extensions to existing codes of conduct.

3. The Authority will deal with the request only if it considers that the party/ parties making the request is/are sufficiently representative and the sector or sectors concerned is/are described sufficiently accurately in the code.

4. A decision on a request as referred to in subsection 1 is regarded as a decision within the meaning of the General Administrative Law Act. Division 3.4 of that Act applies to its preparation.

5. The declaration remains valid for the term of validity of the code of conduct, but for no longer than five years after the publication date of the declaration. If the declaration is requested for an amendment to a code of conduct for which a declaration was previously issued, then it will remain valid for the term of that previous declaration.

6. The Authority is responsible for publishing the declaration, together with the code of conduct to which it relates, in the Government Gazette.

Section 26

1. Further rules may be issued by order in council for a particular sector regarding the matters governed by Sections 6 to 11 and 13.

2. The Authority states in its annual report the extent to which it considers that subsection 1 should be applied.

close