Codes of conduct and certification mechanisms
Share this post
National supervisory authorities and the European Data Protection Board monitor and supervise GDPR compliance. To facilitate this, the GDPR provides several arrangements to streamline legal compliance and provide guidance. This includes regulatory tools of self-regulation, co-regulation and public-private partnership such as codes of conduct, certification mechanisms, binding corporate rules and standard data protection clauses. These are useful tools to help facilitate data processing activities and they help create evidence to support legal compliance.
Codes of conduct
Codes of conduct (Article 40) need to include measures specifying the application of the GDPR and contain mechanisms that enable supervisory authorities to carry out mandatory monitoring of compliance. Drafts, amendments or extensions of codes of conduct need to be submitted to the supervisory authority for approval or, in some cases, to the European Data Protection Board or the European Commission.
Certification mechanisms
Data protection certification mechanisms, seals and marks (Article 42) can also be used as evidence to demonstrate compliance with the GDPR. Certification is voluntary and available via a transparent process. Criteria for certification are approved by competent supervisory authorities and certification is issued by accredited certification bodies or competent supervisory authorities.
Binding corporate rules
Binding corporate rules (Article 47) are internal rules, adopted by multinational groups of companies. These rules define their global policy with regard to international data transfers to entities located in countries without an adequate level of protection. Binding corporate rules are seen as appropriate safeguards for transfers of personal data outside the EU. Therefore they require approval from the competent supervisory authority in accordance with the consistency mechanism.
Standard data protection clauses
Standard data protection clauses (Article 46) are also used for data transfers outside the EU. Transfers outside the EU are permitted under the GDPR without approval of supervisory authorities on the condition that they are made on the basis of standard (contractual) data protection clauses. Such standard clauses are either adopted by the Commission or adopted by a supervisory authority and approved by the Commission.
In the following link you can find an example of a code of conduct on privacy for mHealth apps. Please keep in mind that the code is not yet approved.
Share this post
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
Register to receive updates
-
Create an account to receive our newsletter, course recommendations and promotions.
Register for free