Skip to 0 minutes and 8 secondsIn this video, we will give you a brief overview of codes of conduct, certification mechanisms, and binding corporate rules under the GDPR. For data controllers and processors, these provisions are useful to help facilitate data processing activities. For data subjects, it is interesting to get familiar with the safeguards and processing practises. National supervisory authorities and the European Data Protection Board monitor and supervise GDPR compliance. This is an enormous task. Therefore, to facilitate this, the GDPR provides several arrangements to streamline legal compliance and provide guidance. This includes regulatory tools of self-regulation, co-regulation, and public-private partnerships, such as codes of conduct, certification mechanisms, binding corporate rules, and standard data protection clauses.

Skip to 1 minute and 2 secondsFor controllers and processors, codes of conduct are an important tool for achieving legal compliance and creating evidence to support this. Member states' supervisory authorities, the board, and the commission encourage drafting codes of conduct. Such codes of conduct can be prepared, amended, or extended by associations and other bodies representing categories of controllers and processors. Codes of conduct need to include measures specifying the application of the GDPR, This includes, for example, the collection and pseudonymisation of personal data, exercise of data subjects' rights, and notification of a data breach. Codes of conduct contain mechanisms that enable supervisory authorities to carry out mandatory monitoring of compliance. Drafts, amendments, or extensions of codes of conduct need to be submitted to the supervisory authority for approval.

Skip to 1 minute and 57 secondsIn some cases, in particular in cross-border data processing activities, approval from the board or commission might even be necessary for recognising the general validity of codes of conduct within the EU. Apart from supervisory authorities, other competent bodies with an appropriate level of expertise and accreditation can also monitor compliance with codes of conduct. Drafting codes of conduct is one thing. Committing to them is another. It is important in the sense that it can provide evidence that controllers and processors comply with the GDPR. This not only counts for controllers and processors within the EU, but also for those who are not subject to the GDPR in order to provide appropriate data protection safeguards.

Skip to 2 minutes and 43 secondsData protection and certification mechanisms seals and marks can also be used as evidence to demonstrate compliance with the GDPR. The establishment thereof is therefore encouraged at EU level. While these mechanisms may demonstrate compliance, they do not reduce any responsibilities under the GDPR. Certification as voluntary and available by a transparent process. Criteria for certification are approved by competent supervisory authorities. And the certification is then issued by accredited certification bodies, or the competent supervisory authorities. Certification criteria approved for by the board are common certification referred to as the European Data Protection Seal. Certifications are valid for a maximum of three years, after which they can be renewed or withdrawn.

Skip to 3 minutes and 39 secondsBinding corporate rules, or BCRs, like codes of conduct, are internal rules adopted by multinational groups of companies. These rules define their global policy with regard to international data transfers to entities located in countries without an adequate level of protection. Binding corporate rules are seen as appropriate safeguards for transfers of personal data outside the EU. Therefore, they require approval from the competent supervisory authority in accordance with the consistency mechanism. Binding corporate rules are approved provided that they are legally binding, applied, and enforced by every member of the group. The rules have to expressly confer enforceable rights on data subjects and have to meet the set of minimum requirements as determined by GDPR to ensure sufficient data protection.

Skip to 4 minutes and 31 secondsLike binding corporate rules, standard data protection clauses are also used for data transfers outside the EU. Transfers outside the EU are permitted under the GDPR without approval of supervisory authorities on the condition that they are made on the basis of standard contractual data protection clauses. Such standard data protection clauses are either adopted by the Commission or adopted by a supervisory authority and approved for by the Commission. If you're interested in GDPR obligations regarding data transfers outside the EU, please follow the following steps for this week. You have seen that codes of conduct, certification mechanisms, binding corporate rules, and standard data protection clauses can be used to facilitate data transfers and demonstrate legal compliance.

Skip to 5 minutes and 25 secondsWhen incorporated into business policies and practises, they can serve as an advantage for controllers and processors.

Codes of conduct and certification mechanisms

National supervisory authorities and the European Data Protection Board monitor and supervise GDPR compliance. To facilitate this, the GDPR provides several arrangements to streamline legal compliance and provide guidance. This includes regulatory tools of self-regulation, co-regulation and public-private partnership such as codes of conduct, certification mechanisms, binding corporate rules and standard data protection clauses. These are useful tools to help facilitate data processing activities and they help create evidence to support legal compliance.

Codes of conduct

Codes of conduct (Article 40) need to include measures specifying the application of the GDPR and contain mechanisms that enable supervisory authorities to carry out mandatory monitoring of compliance. Drafts, amendments or extensions of codes of conduct need to be submitted to the supervisory authority for approval or, in some cases, to the European Data Protection Board or the European Commission.

Certification mechanisms

Data protection certification mechanisms, seals and marks (Article 42) can also be used as evidence to demonstrate compliance with the GDPR. Certification is voluntary and available via a transparent process. Criteria for certification are approved by competent supervisory authorities and certification is issued by accredited certification bodies or competent supervisory authorities.

Binding corporate rules

Binding corporate rules (Article 47) are internal rules, adopted by multinational groups of companies. These rules define their global policy with regard to international data transfers to entities located in countries without an adequate level of protection. Binding corporate rules are seen as appropriate safeguards for transfers of personal data outside the EU. Therefore they require approval from the competent supervisory authority in accordance with the consistency mechanism.

Standard data protection clauses

Standard data protection clauses (Article 46) are also used for data transfers outside the EU. Transfers outside the EU are permitted under the GDPR without approval of supervisory authorities on the condition that they are made on the basis of standard (contractual) data protection clauses. Such standard clauses are either adopted by the Commission or adopted by a supervisory authority and approved by the Commission.

In the following link you can find an example of a code of conduct on privacy for mHealth apps. Please keep in mind that the code is not yet approved.

Share this video:

This video is from the free online course:

Understanding the GDPR

University of Groningen