On 25 May 2020, the European Data Protection Board (EDPB) issued its opinions on draft decisions of certain national supervisory authorities on certification and code of conduct monitoring bodies’ accreditation requirements. This includes opinions on the draft decisions from supervisory authorities in:

  • Finland, Germany, Ireland, and Italy, on the approval of the requirements for accreditation of a code of conduct monitoring body under article 41 of the General Data Protection Regulation (GDPR)
  • The Czech Republic, Germany, and Ireland, on the approval of the requirements for accreditation of a certification body under article 43(3) of the GDPR

Background to the EDPB’s opinions

Under articles 40 and 41, supervisory authorities of Member States are encouraged to draft codes of conduct for the application of the GDPR, and to establish an accredited body for the monitoring of compliance with this code of conduct. Articles 42 and 43 similarly encourage supervisory authorities to create a data protection certification mechanism that allows businesses to demonstrate compliance with the GDPR, and to establish an accredited certification body to carry out this certification. In addition, last year the EDPB published guidelines on the certification and accreditation of these bodies; further details of these guidelines can be found in our blog here.

The first step for the establishment of the monitoring and certification bodies is for Member States to submit draft requirements for the accreditation process, which are then reviewed by the EDPB. The EDPB has confirmed in its opinions that, whilst the GDPR does not impose a single set of requirements, its role in assessing the draft decisions is to ensure that a consistent approach is taken by Member States and to provide recommendations to bring the drafts in line with core elements of the GDPR. Following publication of the EDPB’s opinions, supervisory authorities have two weeks to communicate whether they intend to amend or maintain their draft decisions, and must provide their reasons if they choose not to follow the EDPB’s recommendations.

The EDPB’s recommendations

Some of the supervisory authorities that have submitted their draft decisions will have to carry out work to bring their decisions in line with the EDPB’s recommendations. For example:

  • The EDPB noted that the Finnish and Irish draft code of conduct accreditation requirements need to provide examples of the information or documents that applicants should submit when applying for accreditation.
  • The German draft code of conduct accreditation requirements should specify that the essential elements of the monitoring body’s function will be included within the code of conduct, and the draft should refer to the monitoring body’s responsibilities in a general manner so as to reduce some of the burden for small and medium enterprises to apply for accreditation.
  • The Italian draft code of conduct accreditation requirements need further clarification to ensure the independence of the monitoring body.
  • The EDPB noted that the Czech Republic’s draft accreditation requirements do not completely follow the structure set out in the EDPB’s guidelines 4/2018 on the accreditation of certification bodies.

Moving towards practical solutions

Nevertheless, the supervisory authorities of the Czech Republic, Finland, Germany, Ireland, and Italy are close to finalising their monitoring and certification bodies, and are therefore closer to establishing schemes for certification and codes of conduct. Once these schemes are implemented and available to businesses to sign up to, they may provide a practical and potentially cost-effective solution to help demonstrate their compliance with the GDPR, as the principle of accountability under article 5(2) of the GDPR requires, which, in turn, should help earn the trust and confidence of data subjects whose personal data they process.