Skip main navigation

Codes of conduct and certification mechanisms

In this video, Melania Tudorica introduces codes of conducts, certification mechanisms and binding corporate rules and explains them.

National supervisory authorities and the European Data Protection Board monitor and supervise GDPR compliance. To facilitate this, the GDPR provides several arrangements to streamline legal compliance and provide guidance. This includes regulatory tools of self-regulation, co-regulation and public-private partnership such as codes of conduct, certification mechanisms, binding corporate rules and standard data protection clauses. These are useful tools to help facilitate data processing activities and they help create evidence to support legal compliance.

Codes of conduct

Codes of conduct (Article 40) need to include measures specifying the application of the GDPR and contain mechanisms that enable supervisory authorities to carry out mandatory monitoring of compliance. Drafts, amendments or extensions of codes of conduct need to be submitted to the supervisory authority for approval or, in some cases, to the European Data Protection Board or the European Commission.

Certification mechanisms

Data protection certification mechanisms, seals and marks (Article 42) can also be used as evidence to demonstrate compliance with the GDPR. Certification is voluntary and available via a transparent process. Criteria for certification are approved by competent supervisory authorities and certification is issued by accredited certification bodies or competent supervisory authorities.

Binding corporate rules

Binding corporate rules (Article 47) are internal rules, adopted by multinational groups of companies. These rules define their global policy with regard to international data transfers to entities located in countries without an adequate level of protection. Binding corporate rules are seen as appropriate safeguards for transfers of personal data outside the EU. Therefore they require approval from the competent supervisory authority in accordance with the consistency mechanism.

Standard data protection clauses

Standard data protection clauses (Article 46) are also used for data transfers outside the EU. Transfers outside the EU are permitted under the GDPR without approval of supervisory authorities on the condition that they are made on the basis of standard (contractual) data protection clauses. Such standard clauses are either adopted by the Commission or adopted by a supervisory authority and approved by the Commission.

In the following link you can find an example of a code of conduct on privacy for mHealth apps. Please keep in mind that the code is not yet approved.

This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now