GDPR Codes of Conduct

A GDPR “Code of Conduct” is a mechanism for providing guidelines to organisations who process data in particular ways, and allows them to demonstrate compliance with the requirements of the GDPR.

A code of conduct is voluntary, but compliance is continually monitored by an appropriate body who are accredited by a supervisory authority. In the UK, in most cases the supervisory authority will be the Information Commissioner's Office (ICO). The code of conduct allows for certifications, seals and marks which indicate clearly to consumers that a service or product complies with the code.

Members of an approved code of conduct will have their membership visible on the ICO's public register of UK approved codes of conduct and the EDPB’s public register for all codes of conduct in the EU.

What it might include

According to the ICO,[1] "Codes of conduct should help you comply with the law, and may cover topics such as:

  • fair and transparent processing;
  • legitimate interests pursued by controllers in specific contexts;
  • the collection of personal data;
  • the pseudonymisation of personal data;
  • the information provided to individuals and the exercise of individuals’ rights;
  • the information provided to and the protection of children (including mechanisms for obtaining parental consent);
  • technical and organisational measures, including data protection by design and by default and security measures;
  • breach notification;
  • data transfers outside the EU; or
  • dispute resolution procedures."


Who might be involved?

As noted by GDPR Recital 99, a consultation should be a public process which involves stakeholders and data subjects, and their responses should be taken into account during the drafting period: “When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.”

The code of conduct must be approved by a relevant supervisory authority (usually the ICO).

An accredited body that establishes a code of conduct and monitors compliance is able to establish their own structures and procedures under GDPR Article 41 to handle complaints regarding infringements of the code, or regarding the way it has been implemented.


References