Authors: Alexander Roßnagel and Philipp Richter

 

(1) Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

(2) A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

(3) The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

(4) Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

(5) The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

(6) This Article shall not apply to processing carried out by public authorities and bodies.

 

I. Aim and purpose of the provision

 

Non-public controllers and processors can have monitoring of compliance with their codes of conduct carried out by accredited private bodies.[1] This approach strengthens self-responsibility for associations and other bodies by self-monitoring of their codes of conduct. The fact that compliance with their codes of conduct will be monitored by independent private monitoring bodies will increase trust of controllers and processors in the codes of conduct of their respective association and increase incentives to submit to them.[2] However, they cannot trust in being able to fully escape from monitoring measures by public administration. Rather, final responsibility for compliance with the GDPR stays – as para. 1 makes perfectly clear – with the competent supervisory authority.

Nevertheless, accreditation of private monitoring bodies leads to reduction of work for the supervisory authority. The authority keeps full monitoring responsibility but may leave primary monitoring of compliance with codes of conduct which make prescriptions of the GDPR more precise or concrete to the monitoring bodies. However, the spectrum of its tasks and thus its burden grows due to development of criteria for accreditation according to para. 3 and execution of the accreditation procedure according to para. 2.[3]

According to para. 6, the provision does not apply to monitoring of processing by public authorities or other public bodies. They may not be monitored by private monitoring bodies but only by the competent supervisory authority.

Execution of the obligations of the monitoring bodies is conducted by measures of the supervisory authority according to Art. 58 towards the controllers and processors by revoking the accreditation of the monitoring body according to para. 5 and by sanctions towards the monitoring bodies according to Art. 83 para. 4 lit. c.

 

II.History of origins

The provision has no antetype. There is no provision of the DPD corresponding to it. The notion that the concerned industry would not only regulate itself but also monitor itself through independent monitoring bodies – mostly from associations which have developed the codes of conduct – had not been contained in the drafts until the draft by the council. Apart from editorial amendments, it has been incorporated into the GDPR without changes. There are no recitals referring to the provision.

 

 

 

[…]

 

 

 

 

[1]EDPD Guidelines 1/2019 para. 16 et seq., 40 et seq., 60.

[2]Kranig/Peintinger, ZD 2014, 3 (7).

[3]Roßnagel, Die Datenschutzaufsicht nach der Datenschutz-Grundverordnung, 67 et seq., 110.