Authors: Alexander Roßnagel and Philipp Richter

 

(1) The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

(2) Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

a) fair and transparent processing;

b) the legitimate interests pursued by controllers in specific contexts;

c) the collection of personal data;

d) the pseudonymisation of personal data;

e) the information provided to the public and to data subjects;

f) the exercise of the rights of data subjects;

g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

j) the transfer of personal data to third countries or international organisations; or

k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

(3) In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

(4) A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

(5) Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

(6) Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

(7) Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

(8) Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

(9) The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

(10) The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

(11) The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

 

Ι. Aim and purpose of the provision

Many provisions of the GDPR are highly abstract and too general to be executed and sanctioned in a procedure following the rule of law. Since the EU-legislator has insufficiently fulfilled its regulative function, but it needs to be decided in individual cases, if data may be processed, others will have to lay down the rules necessary for this decision.[1] The provisions need to be made more precise and concrete by further rules. The GDPR puts this duty on the Member States, the supervisory authorities or – in this provision – associations and other bodies representing controllers and processors. By establishing codes of conduct, they may interpret provisions of the GDPR for specific sectors. Codes of Conduct are instruments of self-regulation alongside data protection certification as laid down in Art. 42.

The drawing up of codes of conduct by trade associations and inter-trade organisations might facilitate data protection. It might activate responsibility of controllers, it might take advantage of their knowledge of possibilities of economically fulfilling data protection requirements, it might strengthen their interest in data protection by design and it might clarify the abstract requirements of the GDPR, so that they may be better executed. However, it might also lead to attempts at softening data protection requirements and aligning implementation of data protection law only to or mostly to the business needs of controllers or processors.

By encouraging and approving codes of conduct by the addressees of the regulation, the GDPR adopts the concept of co-regulation by the state and associations. In this, the provision uses the mode of regulated self-regulation.[2] The GDPR has made the most important decisions itself in order to do justice to the fundamental rights of the controllers as well as the data subjects and in order to live up to the principle of democracy. With this provision it lays down these decisions as objectives for self-regulation by associations and other bodies but leaves them the opportunity to fill them in according to specific sectors. At the same time, the provision lays down rules of self-regulation and the approval of its results, thus makes possible for codes of conduct to be used as binding (for supervisory authorities) data protection codes. However, codes of conduct cannot establish separate provisions for the processing of personal data, they may only concretize and specify the existing provisions of the GDPR.[3]

The concept of self-regulation by interest groups has not been very successful so far in European data protection. In Germany under the DPD, only two approved codes of conduct have been developed in over 20 years[4] and in other Member States the development has not been very encouraging either. Only in one case, codes of conduct have been approved union-wide.[5] Since the GDPR has been applied, only the codes of conduct of the federation “Wirtschaftsauskunfteien e.V.“ from 25.5.2018, the codes of conduct for notaries by the Federal Chamber of Notaries from May 2022 and the codes of conduct by the GDD e.V./BvD e.V., „Requirements for Processors according to Art. 28 GDPR  – Trusted Data Processor“ from November 2022 have been approved in Germany. Unionwide, only few codes of conduct have been approved, namely in Spain the “Autocontrol Code of Conduct” of the “Asociación para la Autorregulación de la Comunicación Comercial (AUTOCONTROL) from 9.10.2020; in the Netherlands the “Data Pro Code” of the “Nederland ICT (NL Digital)“ from 10.8.2020 and in Austria the codes of conduct “Data Protection of the Association of Employees of Private Educational Institutions – BABE CoC” from 5.11.2019; in Italy, the „Codes of conduct and ethics in processing of personal data for commercial information purposes by „Assoziazione nazionale trab le imprese dir informazioni commerziali e di gestione del credito“ from 17.5.2021; in Belgium the “EU Data Protection Code of Conduct for Cloud Service Providers” by „Scope Europe“, approved by the EDPB on 19.5.2021; and in France the „Code of Conduct for Cloud Infrastructure Service Providers in Europe“ by „Cloud Infrastructure Service Providers Europe“ (CISPE), also approved by the EDPB on 19.5.2021. “Despite this hardly encouraging development, the provision aims at giving new impulses to this concept.

The provision applies only to non-public controllers and processors and not to public bodies. These cannot be monitored by private bodies according to Art. 41 (6). However, according to Art. 40 (4) codes of conduct need to contain mechanisms, which enable such bodies to carry out monitoring compliance with the codes of conduct (→ mn. 37). Such mechanisms are, however, not applicable to public authorities and bodies.[6]

 

 

 

[…]

 

 

 

[1]Cf. on this Roßnagel, Konzepte der Selbstregulierung, para. 3 et seq.

[2]Cf. on this Talidou, Regulierte Selbstregulierung, 27 et seq.; Roßnagel, Konzepte der Selbstregulierung, para. 19 et seq., 68 et seq.

[3]LDI NRW ZD-Aktuell 2019, 06606; Laue in Laue/Kremer, Neues DatenschutzR, § 8 para. 7.

[4]Codes of Conduct by the German Insurance Association of 07.09.2012 and the “Geo-Business Code of Conduct” of the “Selbstregulierung Informationswirtschaft (SRIW) e.V.” and the “Kommission für Geoinformationswirtschaft (GIW)” of 13.01.2015.

[5]Cf. for the sector of direct marketing the Code of Honor of the “Federation of European Direct Marketing”; Cf. also Art. 29 Data Protection Working Party, WP 77 and WP 174 on the revision of the Code in 2010.

[6]Differing opinion Wolff, ZD 2017, 151 (153) for public law chambers.