During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here.
The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework for the adoption of CoCs. We have previously written about the 2019 Guidelines here.
Purpose of the CoC Guidelines
The main purpose of the CoC Guidelines is to clarify the application of Articles 40(3) and 46(2)(e) of the General Data Protection Regulation (GDPR) relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries. These provisions specify that a code of conduct, which has been (1) approved by a competent supervisory authority and (2) has been granted general validity within the EEA by the EU Commission, may be used and adhered to by controllers and processors not subject to the GDPR to provide appropriate safeguards to affect transfers of data outside of the EU.
The CoC Guidelines should further act as a clear reference for all EU supervisory authorities, the EDPB and assist the EU Commission in evaluating codes in a consistent manner and streamline the procedures involved in the assessment process. They should also provide greater transparency, ensuring that code owners who intend to seek approval for a code of conduct intended to be used as a tool for transfers are aware of the process and understand the formal requirements and the appropriate thresholds required for setting up such a code of conduct.
Codes of conduct
The GDPR requires that controllers/processors put in place appropriate safeguards for transfers of personal data by or to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations for framing transfers to third countries by introducing, amongst others, codes of conduct as a new transfer mechanism.
Codes of conduct may be prepared by associations or other bodies representing categories of controllers or processors. A non-exhaustive list of possible associations could include: trade and representative associations, sectoral organizations, academic organisations and interest groups.
To be adopted, a code intended for transfers needs to be first approved by a competent supervisory authority in the EEA and then recognised by the EU Commission as having general validity within the Union by way of an implementing act. Helpfully, the CoC Guidelines include a flow chart set out in the annex which details the procedural steps for adopting a code of conduct intended for transfer.
Content of codes of conduct
Most notably, the CoC Guidelines address the content of such codes of conduct. The so-called checklist of elements to be included in a code of conduct intended for transfers also takes account of the Court of Justice of the European Union’s judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (Schrems II). Whilst the EDPB further clarified that it will issue additional guidance in the future on the elements included in the checklist, we expect the following elements to be covered by a code of conduct intended for transfers to remain the same:
- A description of transfers to be covered by the code (nature of data transferred, categories of data subjects, countries);
- A description of the data protection principles to be complied with under the code (transparency, fairness and lawfulness, purpose limitation, data minimization and accuracy, limited storage of data, processing of sensitive data, security, for processors compliance with instructions from the controller), including rules on using processors or sub-processors and rules on onward transfers;
- Accountability measures to be taken under the code;
- The setting up of an appropriate governance through DPOs or other privacy staff in charge of compliance with data protection obligations resulting from the code;
- The existence of a suitable training program on the obligations arising from the code;
- The existence of a data protection audit and transparency measures;
- The provision of data subject rights;
- The creation of third-party beneficiary rights for data subjects to enforce the rules of the code as third-party beneficiaries;
- The existence of an appropriate complaint handling process maintained by the monitoring body which if deemed appropriate may be complemented with an internal procedure to the code member for managing complaints;
- The mechanisms for dealing with changes to the code and the consequences of withdrawal of a member from the code; and
- Various commitments including a commitment for the code member and monitoring body to cooperate with EEA supervisory authorities and a commitment for the code member to accept to be subject to the jurisdiction of the EEA supervisory authority.
Codes of conduct should be seen as an effective accountability tool that can ensure a consistent approach to GDPR compliance across various industries. Organisations who adhere to an approved code of conduct will most likely be looked at favourably and this will be a factor taken into consideration by supervisory authorities when evaluating the organisations compliance or when imposing any administrative fines.
The EDPB welcomes comments on the CoC Guidelines until 1st October 2021. If you would like to offer feedback, you can do so by accessing this link.