menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Spain) language
Contact our local member in Spain mail_outline
Visit the website of RPCC Estudio Jurídico account_balance

arrow_backPrevious Article
Article 40
Next Articlearrow_forward

Codes of conduct

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 40 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 40 keyboard_arrow_up

Key words related to article 40

Show the recitals of the Regulation related to article 40 keyboard_arrow_down Hide the recitals of the Regulation related to article 40 keyboard_arrow_up

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(99) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

(167) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

There is no recital in the Directive related to article 40.

The GDPR

Article 40 reiterates Europe's desire to encourage the elaboration of codes to contribute to the application of the Regulation. These codes should take into account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises (paragraph 1).

These codes may be elaborated, modified or extended by organizations representing the categories of controllers and processors. They would be intended to clarify the terms of application of the Regulation provisions (paragraph 2), namely:

- the principle of fair and transparent processing (a);

- the legitimate interests pursued by controllers in specific contexts (b);

- the collection of personal data (c);

- the  anonymization  of personal data (d);

- the information provided to the public and to data subjects (e);

- the exercise of the rights of data subjects (f), etc.

As it follows from recital 98, these codes could in particular specify the duties imposed on controllers and processors to manage the risk which may expose the rights and freedoms of individuals.

These codes will be submitted to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards (paragraph 5).

Then, where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code (paragraph 6).

Before approving them, the supervisory authority shall submit them to the European Data Protection Board which shall provide an opinion on whether they comply with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards (paragraph 7). Where the opinion is positive, the European Board shall submit its opinion to the Commission (paragraph 8). The Commission shall then adopt implementing acts to confirm  that the codes of conducts as well as any modifications and extensions approved will have general validity in the territory of the Union. In this case, the Commission shall ensure appropriate publicity (paragraphs 9 and 10).

The European Data Protection Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means (paragraph 11).

Article 40 also provides in paragraph 3 that the codes of conduct approved by the national supervisory authority and having general validity in the territory of the Union could be applied to processing controllers and processors who are not subject to the Regulation in accordance with Article 3, in order to provide the appropriate safeguards in the context of transfers of personal data to a third country or an international organization, which must provide such appropriate safeguards and which has not been considered as providing a level of protection (Art. 46 (2), e)). These controllers or processors then assume a binding and enforceable commitment by using contractual instruments or otherwise, to apply these appropriate safeguards, including with regard to the rights of the data subjects.

Article 41 provides for a specific procedure for the monitoring of these codes. These codes must also contain the mechanisms by which the body responsible for follow-up to the mandatory control of compliance with the code by the processors and/or the controllers.

 Check this translation is correct (data collected in such a way that it cannot be linked back to an individual)

The Directive

Article 27 of the Directive encouraged the elaboration of sectoral codes of conduct with a view to contribute to the implementation of national provisions taken by the Member States. They were to provide an opportunity for the associations representing categories of controllers to submit these to the review of the national authorities. Moreover, the same opportunity was provided for drafts of Community codes to submit this time to the "29" Group who could then give publicity to the approved codes.

Most national laws did not contain any provisions in this regard.

Potential issues

The new regime of codes of conduct can contribute a lot to clarifying the application of the provisions of the Regulation to specific sectors and enterprises they cover. Their potential mandatory nature across the Union could also promote better alignment of regulations, which is certainly positive.

The problem will arise as a result of the fact that the initiative will come from the representative organizations themselves, which will often be the only ones to have the resources to elaborate such tools (except some large groups of undertakings or certain public institutions). The challenge for implementation will then be to provide an effective policy of encouragement and information to these organizations in order to convince them of the potential benefits for their members.

It should be noted that the adoption procedure is particularly heavy and depends on the efficiency and speed of the European Board and the national supervisory authorities.

arrow_back Previous ArticleArticle 40Next Article arrow_forward
arrow_back Previous ArticleArticle 40 Next Article arrow_forward

Summary

European Union

European Union

European data protection baord (EDPB)

Guidelines on Codes of conduct and Monitoring Bodies - 1/2019 (4 June 2019)

The aim of these guidelines is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the GDPR.

They are intended to help clarify the procedures and the rules involved in the submission, approval and publication of codes at both a National and European level. They intend to set out the minimum criteria required by a Competent Supervisory Authority (“CompSA”) before accepting to carry out an in depth review and evaluation of a code. Further, they intend to set out the factors relating to the content to be taken into account when evaluating whether a particular code provides and contributes to the proper and effective application of the GDPR. Finally, they intend to set out the requirements for the effective monitoring of compliance with a code. These guidelines should also act as a clear framework for all CompSAs, the Board and the Commission to evaluate codes in a consistent manner and to streamline the procedures involved in the assessment process.

This framework should also provide greater transparency, ensuring that code owners who intend to seek approval for a code are fully conversant with the process and understand the formal requirements and the appropriate thresholds required for approval. Guidance on codes of conduct as a tool for transfers of data as per Article 40(3) of the GDPR will be considered in separate guidelines to be issued by the EDPB. All codes previously approved will need to be reviewed and re-evaluated in line with the requirements of the GDPR and then resubmitted for approval as per the requirements of Articles 40 and 41 and as per the procedures outlined in this document.

Lien

Guidelines on codes of conduct as tools for transfers - 4/2021 (7 July 2021)

The aim of these guidelines is to specify the application of Article 40-3 of the GDPR relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries in accordance with Article 46-2-e) of the GDPR. They also aim to provide practical guidance including on the content of such codes of conduct, their adoption process and the actors involved as well as the requirements to be met and guarantees to be provided by a code of conduct for transfers.

These guidelines should further act as a clear reference for all SAs, the Board and assist the Commission in evaluating codes in a consistent manner and to streamline the procedures involved in the assessment process. They should also provide greater transparency, ensuring that code owners who intend to seek approval for a code of conduct intended to be used as a tool for transfers (“code(s) intended for transfers” hereafter) are fully aware of the process and understand the formal requirements and the appropriate thresholds required for setting up such a code of conduct.

The present guidelines complement the EDPB Guidelines 1/2019 on codes of conduct and Monitoring Bodies under Regulation 2016/679 which establish the general framework for the adoption of codes of conduct. The considerations set out in Guidelines 1/2019 notably regarding the admissibility, submission and criteria for approval are thus also valid in the context of the preparation of codes intended for transfers.

Link

Retour au sommaire
arrow_back Previous Article Article 40 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 40 Next Article arrow_forward
Regulation
1e 2e

Art. 40

1.   The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2.   Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

a) fair and transparent processing;

b) the legitimate interests pursued by controllers in specific contexts;

c) the collection of personal data;

d) the pseudonymisation of personal data;

e) the information provided to the public and to data subjects;

f) the exercise of the rights of data subjects;

g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

j) the transfer of personal data to third countries or international organisations; or

k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3.   In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4.   A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

5.   Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6.   Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7.   Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

8.   Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9.   The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

10.   The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11.   The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
1st proposal close

Art. 38

1.           The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:

(a)     fair and transparent data processing;

(b)     the collection of data;

(c)     the information of the public and of data subjects;

(d)     requests of data subjects in exercise of their rights;

(e)     information and protection of children;

(f)      transfer of data to third countries or international organisations;

(g)     mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it;

(h)     out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75.

2.           Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.

3.           Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission.

4.           The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5.           The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.

 
2nd proposal close

Art. 38

1. The Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors and the specific needs of micro, small and medium-sized enterprises.

1a. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of provisions of this Regulation, such as:

(a) fair and transparent data processing;

(aa) the legitimate interests pursued by controllers in specific contexts;

(b) the collection of data;

(bb) the pseudonymisation of personal data ;

(c) the information of the public and of data subjects;

(d) the exercise of the rights of data subjects ;

(e) information and protection of children and the way to collect the parent’s and guardian’s consent ;

(ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30;

(ef) notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects;

(f) (...).

1ab. In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contr actual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.

1b. Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2. Associations and other bodies referred to in paragraph 1a which intend to prepare a code of conduct, or to amend or extend an existing code, shall submit the draft code to the supervisory authority which is competent pursuant to Article 51. The supervisory authority shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards.

2a. Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof.

2b. Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.

3. Where the opinion referred to in paragraph 2b confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation, or, in the situation referred to in paragraph 1ab, provides appropriate safeguards ,the European Data Protection Board shall submit its opinion to the Commission.

4. The Commission may adopt implementing acts for deciding that the approved codes of conduct and amendments or extensions to existing approved codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 4.

5a. The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.
Directive close

Art. 27

1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.

2. Member States shall make provision for trade associations and other bodies representing other categories of controllers which have drawn up draft national codes or which have the intention of amending or extending existing national codes to be able to submit them to the opinion of the national authority.

Member States shall make provision for this authority to ascertain, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives.

3. Draft Community codes, and amendments or extensions to existing Community codes, may be submitted to the Working Party referred to in Article 29. This Working Party shall determine, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives. The Commission may ensure appropriate publicity for the codes which have been approved by the Working Party.
Spain
compare_arrows
visibility Old law

Artículo 38. Códigos de conducta.

1. Los códigos de conducta regulados por la sección 5.ª del Capítulo IV del Reglamento (UE) 2016/679 serán vinculantes para quienes se adhieran a los mismos.

Dichos códigos podrán dotarse de mecanismos de resolución extrajudicial de conflictos.

2. Dichos códigos podrán promoverse, además de por las asociaciones y organismos a los que se refiere el artículo 40.2 del Reglamento (UE) 2016/679, por empresas o grupos de empresas así como por los responsables o encargados a los que se refiere el artículo 77.1 de esta ley orgánica.

Asimismo, podrán ser promovidos por los organismos o entidades que asuman las funciones de supervisión y resolución extrajudicial de conflictos a los que se refiere el artículo 41 del Reglamento (UE) 2016/679.

Los responsables o encargados del tratamiento que se adhieran al código de conducta se obligan a someter al organismo o entidad de supervisión las reclamaciones que les fueran formuladas por los afectados en relación con los tratamientos de datos incluidos en su ámbito de aplicación en caso de considerar que no procede atender a lo solicitado en la reclamación, sin perjuicio de lo dispuesto en el artículo 37 de esta ley orgánica. Además, sin menoscabo de las competencias atribuidas por el Reglamento (UE) 2016/679 a las autoridades de protección de datos, podrán voluntariamente y antes de llevar a cabo el tratamiento, someter al citado organismo o entidad de supervisión la verificación de la conformidad del mismo con las materias sujetas al código de conducta.

En caso de que el organismo o entidad de supervisión rechace o desestime la reclamación, o si el responsable o encargado del tratamiento no somete la reclamación a su decisión, el afectado podrá formularla ante la Agencia Española de Protección de Datos o, en su caso, las autoridades autonómicas de protección de datos.

La autoridad de protección de datos competente verificará que los organismos o entidades que promuevan los códigos de conducta han dotado a estos códigos de organismos de supervisión que reúnan los requisitos establecidos en el artículo 41.2 del Reglamento (UE) 2016/679.

3. Los códigos de conducta serán aprobados por la Agencia Española de Protección de Datos o, en su caso, por la autoridad autonómica de protección de datos competente.

4. La Agencia Española de Protección de Datos o, en su caso, las autoridades autonómicas de protección de datos someterán los proyectos de código al mecanismo de coherencia mencionado en el artículo 63 de Reglamento (UE) 2016/679 en los supuestos en que ello proceda según su artículo 40.7. El procedimiento quedará suspendido en tanto el Comité Europeo de Protección de Datos no emita el dictamen al que se refieren los artículos 64.1.b) y 65.1.c) del citado reglamento.

Cuando sea una autoridad autonómica de protección de datos la que someta el proyecto de código al mecanismo de coherencia, se estará a lo dispuesto en el artículo 60 de esta ley orgánica.

5. La Agencia Española de Protección de Datos y las autoridades autonómicas de protección de datos mantendrán registros de los códigos de conducta aprobados por las mismas, que estarán interconectados entre sí y coordinados con el registro gestionado por el Comité Europeo de Protección de Datos conforme al artículo 40.11 del citado reglamento.

El registro será accesible a través de medios electrónicos.

6. Mediante real decreto se establecerán el contenido del registro y las especialidades del procedimiento de aprobación de los códigos de conducta.

Disposición transitoria segunda. Códigos tipo inscritos en las autoridades de protección de datos conforme a la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal.

Los promotores de los códigos tipo inscritos en el registro de la Agencia Española de Protección de Datos o en las autoridades autonómicas de protección de datos deberán adaptar su contenido a lo dispuesto en el artículo 40 del Reglamento (UE) 2016/679 en el plazo de un año a contar desde la entrada en vigor de esta ley orgánica.

Si, transcurrido dicho plazo, no se hubiera solicitado la aprobación prevista en el artículo 38.4 de esta ley orgánica, se cancelará la inscripción y se comunicará a sus promotores.

---

Article 38. Codes of Conduct.

1. The codes of conduct regulated by Section 5.a of Chapter IV of Regulation (EU) 2016/679 shall be binding on those who adhere to them.

These codes may include mechanisms for the extrajudicial resolution of conflicts.

2. Such codes may be promoted, in addition to the associations and bodies referred to in Article 40.2 of Regulation (EU) 2016/679, by companies or groups of companies as well as by the managers or persons in charge referred to in Article 77.1 of this Organic Law.

They may also be promoted by the bodies or entities that assume the functions of supervision and out-of-court dispute resolution referred to in Article 41 of Regulation (EU) 2016/679.

Data controllers or processors who adhere to the code of conduct are obliged to submit to the supervisory body or entity any complaints made to them by data subjects in relation to the processing of data included in its scope of application in the event that they consider that it is not appropriate to meet the request in the complaint, without prejudice to the provisions of article 37 of this Organic Law. In addition, without prejudice to the powers conferred by Regulation (EU) 2016/679 on the data protection authorities, may, on a voluntary basis and prior to carrying out the processing, submit to the said supervisory body or entity the verification of the compliance of the processing with the matters subject to the code of conduct.

In the event that the supervisory body or entity rejects or dismisses the complaint, or if the controller or processor does not submit the complaint to its decision, the data subject may file a complaint with the Spanish Data Protection Agency or, where appropriate, the regional data protection authorities.

The competent data protection authority shall verify that the bodies or entities promoting the codes of conduct have provided these codes with supervisory bodies that meet the requirements set out in Article 41(2) of Regulation (EU) 2016/679.

3. The codes of conduct shall be approved by the Spanish Data Protection Agency or, as the case may be, by the competent regional data protection authority.

4. The Spanish Data Protection Agency or, where appropriate, the regional data protection authorities shall submit the draft codes to the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679 in the cases in which this is appropriate according to its Article 40.7. The procedure shall be suspended as long as the European Data Protection Committee does not issue the opinion referred to in Articles 64.1.b) and 65.1.c) of the aforementioned regulation.

When it is an autonomous data protection authority that submits the draft code to the consistency mechanism, the provisions of article 60 of this Organic Law shall apply.

5. The Spanish Data Protection Agency and the autonomous data protection authorities shall keep registers of the codes of conduct approved by them, which shall be interconnected with each other and coordinated with the register managed by the European Data Protection Committee in accordance with article 40.11 of the aforementioned regulation.

The registry will be accessible through electronic means.

6. A Royal Decree will establish the content of the registry and the special features of the procedure for the approval of the codes of conduct.

Second Transitory Provision. Standard codes registered with the data protection authorities in accordance with Organic Law 15/1999, of December 13, 1999, on the Protection of Personal Data.

The promoters of the standard codes registered in the registry of the Spanish Data Protection Agency or in the regional data protection authorities must adapt their content to the provisions of Article 40 of Regulation (EU) 2016/679 within one year from the entry into force of this Organic Law.

If, after said period has elapsed, the approval provided for in Article 38.4 of this Organic Law has not been requested, the registration shall be cancelled and the promoters shall be notified.
Old law close

Article 32.- Standard codes of conduct.- Organic Law 15/1999 on the Protection of Personal Data.-

1. By means of sectoral agreements, administrative agreements or company decisions, publicly and privately-owned controllers and the organisations to which they belong may draw up standard codes of conduct laying down the organisation conditions. The operating rules, the applicable procedures, the safety standards for the environment, programs and equipment, the obligations of those involved in the processing and use of personal information, as well as the guarantees, within their remit, for exercising the rights of the individual in full compliance with the principles and provisions of this Law and its implementing rules.

2. These codes may or may not contain detailed operational rules for each particular system and technical standards for their application.

If these codes are not incorporated directly into the code, the instructions or orders for drawing them up must comply with the principles laid down in the code.

3. The codes must be in the form of codes of conduct or of good professional practice, and must be deposited or entered in the General Data Protection Register and, where appropriate, in the registers set up for this purpose by the Autonomous Communities, in accordance with Article 41. The General Data Protection Register may refuse entry when it considers that the code does not comply with the legal and regulatory provisions on the subject. In such a case, the Director of the Data Protection Agency must require the applicants to make the necessary changes.

 

Article 71.- Purpose and nature.- Roytal Decree 1720/2007 Implementing Organic Law 15/1999.

1. The purpose of the codes of conduct to which Article 32 of Organic Law 15/1999, of 13 December, refers is to adapt the provisions of the aforesaid Organic Law and those herein to the unique characteristics of the processing carried out by subscribers thereto.

For this purpose, they shall contain specific rules or standards that permit the harmonisation of the data processing done by subscribers, facilitate the exercise of the rights of the data subjects and favour compliance of the provisions of Organic Law 15/1999, of 13 December, and of those herein.

2. The codes of conduct shall have the status of codes of ethics or good professional practice and shall be binding on subscribers.

 

 
arrow_back Previous ArticleArticle 40 Next Article arrow_forward
close

2016 - www.itiplaw.eu.