Article 41
Monitoring of approved codes of conduct

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation

The GDPR

Article 41 authorises, on certain conditions, an independent body to monitor the compliance with a code of conduct approved under article 40 without prejudice to the tasks and powers of the competent supervisory authority pursuant to Articles 57 and 58. Paragraph 1 stipulates that the monitoring of compliance may be carried out only by a body which has an appropriate level of expertise in relation to the subject-matter of the code.

The second paragraph sets out the conditions that such body must meet:

- it must have demonstrated its independence and expertise in relation to the subject-matter of the code to monitor (a);

- the body must have established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation (b);

- the body must have established transparent procedures to handle complaints about infringements of the code by a controller or processor, by guaranteeing the absence of conflicts of interest (c);

- the body must have demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests (d). 

The competent supervisory authority shall submit the draft criteria as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63 (3)).

Without prejudice to the tasks and powers of the competent supervisory authority, such body shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them (paragraph 4).

The competent supervisory authority shall revoke the accreditation of a body if the conditions for accreditation are not met or where actions taken by the body infringe this Regulation (paragraph 5).

This provision shall not apply to processing carried out by public authorities and bodies (paragraph 6).

The Directive

There was no provision of the Directive for monitoring of the approved codes as no procedure for approval of such codes was provided.

Potential issues

We may wonder what will be the status of the control body in national law, separate from the national supervisory authority. A priori, it will not a public institution, but private, which would then have powers of sanctions with respect to an enterprise established as appropriate in a third country.

The regulation says nothing either in terms of the management of the costs of this compulsory control, which may also pose difficulties, in addition to the management of potential conflicts of interest.

Also, it should be noted that the provision does not apply to public authorities and public institutions even though they are not excluded from article 38 and are therefore required to adopt the codes. We may also ask which conditions precisely these qualifications of public authorities meet as not defined by the Regulation.

Regulation
1e 2e

Art. 41

1.   Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

2.   A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3.   The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

4.   Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5.   The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

6.   This Article shall not apply to processing carried out by public authorities and bodies.

1st proposal close

No specific provision

2nd proposal close

Art. 38a

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the monitoring of compliance with a code of conduct pursuant to Article 38 (1b), may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for this purpose by the competent supervisory authority.

2. A body referred to in paragraph 1 may be accredited for this purpose if:

(a) it has demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

(b) it has established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

(c) it has established procedures and structures to deal with complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make these procedures and structures transparent to data subjects and the public;

(d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3. The competent supervisory authority shall submit the draft criteria for accreditation of a body referred to in paragraph 1 to the European Data Protection Board pursuant to the consistency mechanism referred to in Article 57.

4. Without prejudice to the provisions of Chapter VIII, a body referred to in paragraph 1 may, subject to adequate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5. The competent supervisory authority shall revoke the accreditation of a body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation.

6. This article shall not apply to the processing of personal data carried out by public authorities and bodies.

Directive close

No specific provision

Article 75.- Guarantees of compliance with Codes of Coduct.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.- .

1. The codes of conduct shall include independent supervision procedures to guarantee compliance with the obligations assumed by subscribers, and to establish adequate, effective and dissuasive penalties.

2. Such procedure shall guarantee:

a) The independence and impartiality of the supervisory body;

b) The simple, accessible, fast and cost-free presentation of complaints and claims before the body for possible breaches of the code of conduct;

c) The right to contest;

d) Various levels of penalties so they may be adjusted to the severity of the breach. Such penalties shall be dissuasive and may involve suspension of the subscription to the code or expulsion from the member entity. If appropriate, it may establish its publication;

e) Notification of the decision taken to the data subject.

3. Similarly, and without prejudice to the provisions of Article 19 of Organic Law 15/1999, of 13 December, the codes of conduct may include procedures to determine measures to repair harm that may have been caused to data subjects as a result of the breach of the code of conduct.

4. These provisions of this Article shall be applied without prejudice to the powers of the Spanish Data Protection Agency and, if appropriate, of the supervisory authorities of the Autonomous Communities.

 

Article 76.- List of Subscribers.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.-

The code of conduct shall have attached as a schedule a list of subscribers, which shall be kept up-to-date, available to the Spanish Data Protection Agency.

 

Article 77.- Filing and Publication of Codes of Conduct.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.-

1. In order for the codes of conduct to be considered as such for the purposes provided in Article 32 of Organic Law 15/1999, of 13 December, and herein, they shall be filed and registered in the General Data Protection Register of the Spanish Data Protection Agency or, when appropriate, in the register created by the Autonomous Communities, which shall transfer them for their inclusion in the General Data Protection Register.

2. For this purpose, the codes of conduct shall be presented before the relevant supervisory authority, that shall process their registration, in the event they are subject to the decision of the Spanish Data Protection Agency, pursuant to the procedure established in Chapter VI of Title IX hereof.

3. In any case, the Spanish Data Protection Agency shall publish the registered codes of conduct, preferably through computerised or telematic means.

 

Article 78.- Obligatons after Registration of the  Code of Conduct.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.-

The promoting entities or bodies, persons or entities designated for this purpose in the code of conduct shall have, once it has been published, the following obligations:

a) Maintain accessible to the public the updated information on the promoting entities, the content of the code of conduct, the procedures for subscription and guarantee of compliance and the list of subscribers to which the previous Article refers.

Such information shall be presented clearly and concisely and shall be permanently accessible by electronic means.

b) Send to the Spanish Data Protection Agency an annual report on the activities carried out to disseminate the code of conduct and promote subscription to it, the actions for verifying compliance with the code and their results, the complaints and claims handled and the process they have undergone and any other aspect that the promoting entities deem relevant.

Regarding codes of conduct registered in the register of a supervisory authority of an Autonomous Community, the report shall be sent to that authority, which shall transfer it to the General Data Protection Register.

c) Periodically evaluate the effectiveness of the code of conduct, measuring the degree of satisfaction of the data subjects and, if appropriate, updating the contents to adapt it to the general or sectoral legislation on the protection of data that is in force at any time.

This evaluation shall take place, at least, every four years, unless adaptation of the commitments of the code to an amendment of the applicable legislation is required earlier.

d) Promote accessibility of all persons, paying particular attention to those with a disability or of advanced age, to the information available on the code of conduct.

close