At its eleventh plenary session on 4 June 2019 in Brussels, the European Data Protection Board (EDPB) adopted final versions of (1) the Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679, (2) annex 2 to the Guidelines on certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 and (3) the annex to the Guidelines on accreditation of certification bodies under Article 43 of the Regulation 2016/679. On 14 June 2019, the EDPB also released the final versions adopted at its plenary session.
In a recent blog, we noted that the EDPB had issued revised guidelines on all the three matters above. The EDPB submitted these revisions for public consultation and recently completed considering the responses.
(1) Guidelines on codes of conduct and monitoring bodies
Following the public consultation, the EDPB has incorporated clarification points in the final version of the guidelines on codes of conduct. These guidelines aim to provide practical direction and explanation regarding the application of Articles 40 and 41 GDPR. They set out an established framework that explains the procedures to be followed in submitting codes of conduct for approval, and how to provide criteria for approval of such codes.
(2) Guidelines on certification
The EDPB adopted the final version of annex 2 to the guidelines on certification and identifying certification criteria. These guidelines aim to establish the primary criteria relevant to all types of certification mechanisms issued according to Articles 42 and 43 GDPR. Annex 2 specifically identifies a non-exhaustive list of minimum requirements that the EDPB and data protection authorities will consider for the approval of certifications. The EDPB has now supplemented certain sections in the annex, including whether the criteria includes the obligation of the controller/processor to appoint a data protection officer and the obligation to keep records of the processing activities.
(3) Guidelines on accreditation of certification bodies
Finally, the EDPB also finalised the annex to the guidelines on accreditation of certification bodies. These guidelines assist EU member states, regulators and national accreditation bodies in implementing the provisions of Article 43 GDPR in a consistent and harmonised manner. The annex provides guidance on the additional requirements to be submitted to the EDPB for approval in case accreditation bodies are established by supervisory authorities.
The EDPB guidelines provide useful information on the application of Articles 40-43 of the GDPR. As a result, we expect to see an uptake in the establishment of codes of conduct and data protection certification mechanisms, for example from trade associations, sectoral organisations and interest groups. It is hoped that these will pave the way for providing a new tool for businesses to evidence their GDPR compliance and resolving key data protection challenges in specific sectors by enhancing transparency and accountability and by setting standards of good practice for players in those sectors.