Art. 40 GDPR Codes Of Conduct, One to Emulate
Art. 40 GDPR Codes of Conduct fits in the overall GDPR regulations by contributing to the proper and consistent application of the GDPR across the EU, and by enhancing the accountability and transparency of data controllers and processors. They can also benefit data subjects by providing them with clear and specific information about how their personal data are processed, and by offering them effective ways to exercise their rights and resolve their complaints. Codes of conduct can also foster trust and cooperation among data controllers, processors, supervisory authorities, and data subjects, and facilitate the free flow of personal data within the EU and with third countries or international organizations. Adopting the codes can instil a discipline, being comprehensive and restrictive, on extra-regional European data controllers and processors who are anticipating the development of similar codes in their jurisdiction, and fortifies them in case of inadvertent processing of EU data subjects pursuant to Article 3, ”GDPR Territorial Scope”
Main Requirements
The main requirements and obligation that Art. 40 GDPR Codes of conduct imposes on associations and other bodies that prepare codes of conduct, and on data controllers and processors that adhere to codes of conduct, such as submitting, approving, monitoring, and enforcing codes of conduct, and cooperating with supervisory authorities and data subjects are:
· Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
o fair and transparent processing;
o the legitimate interests pursued by controllers in specific contexts;
o the collection of personal data;
o the pseudonymisation of personal data;
o the information provided to the public and to data subjects;
o the exercise of the rights of data subjects;
o the information provided to, and the protection of, children, and the manner in whic the consent of the holders of parental responsibility over children is to be obtained;
o the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
o the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
o the transfer of personal data to third countries or international organisations; or
o out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
· In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
· A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
· Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
· Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
· Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
· Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
· The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. 2Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
· The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
· The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
–Source: Art. 40 GDPR Codes of conduct, https://gdpr-info.eu/art-40-gdpr/
Right And Remedies
Art. 40 GDPR Codes of Conduct grants to data subjects rights and remedies, such as, being informed of and benefiting from codes of conduct, and having effective ways to exercise their rights and resolve their complaints. See Articles 77 “Right to lodge a complaint with a supervisory authority” and 79, “Right to an effective judicial remedy against a controller or processor” of the GDPR.
Terminology
To fully appreciate the code, we repeat some terms specific to the purposes of the regulation:
|
GDPR Main Terminology |
Explanation |
|
Associations and other bodies` |
A formal organization or group (of data controllers or processors) |
|
Data Breach |
The unauthorized or unlawful access, disclosure, alteration, or loss of personal data |
|
Data Controller or Business |
The entity that determines the purposes and means of the processing of personal data |
|
Data Processor or Service Provider |
The entity that processes personal data on behalf of the data controller |
|
Data Subject or Consumer |
The individual whose personal data are processed |
|
EU Directive |
Applicable to all Member States Sets certain aims, requirements, and concrete results that must be achieved in every Member State Sets a process for it to be implemented by Member States National authorities must create or adapt their legislation to meet these aims by the date specified in each given Directive |
|
EU Regulation |
Immediately applicable and enforceable by law in all Member States As good practice, Member States issue national legislation that defines the competent national authorities, inspection and sanctions on the subject matter. |
|
Personal data or information |
Any information that can identify or relate to a natural person, either directly or indirectly |
|
Supervisory Authority/DPA/Lead Authority task |
The national data protection authority charged with the protection of privacy and personal; to implement and enforce local data protection law; and to offer guidance. |
Conclusion
Art. 40 GDPR Codes of conduct cover various aspects of data handling/processing. The codes of conduct can also provide appropriate safeguards for data transfers to third countries or international organizations; they require mechanisms for monitoring and enforcing compliance by the organizations that adhere to them; they grant data subjects rights and remedies; and the codes have an esoteric group of terminology specific to the GDPR. Organizations outside the EU can do well to discipline themselves according to the codes as they anticipate the strictest measures for privacy and data processing. Next time we will appraise GDPR-inspired US state legislation.
–Richard Thomas
Previous, Part IV
Next, Part VI
