GDPR 101: Codes of Conduct

Updated: Apr 13, 2020

“What are the Codes of Conduct?”

Codes of conducts are a set of rules which outlines the norms or in this case, the norms with regards to the compliance of an organization to the GDPR. The representative bodies make the content of the codes of conduct and are then approved and distributed by a higher power particularly the European Data Protection Board. The codes of conduct can also be released by the EDPB and be reinforced by the EUC (European Union Commission).

The Codes of Conduct Checklist

In order for the Codes of Conduct be an efficient guide in determining an organization’s compliance, this quintessential information should not be neglected and must always be present:

  1. Personal Data Collection

  2. Pseudonymisation of Data

  3. Exercising the Rights of the Data Subjects

  4. Real Data Interest

  5. Notification of Breaches

  6. The Data Controller’s Obligation in Data Protection

  7. The Procedures in Dispute Resolution

If private institutions are the ones that are making the codes of conduct, Recital 99 encourages them to consult data subjects and other stakeholders to include their perspective in making the contents of the code.

It is also important for companies that are located outside the European Union to abide by these codes to show that they have followed suit in maintaining compliance in accordance to Article 46 for their data subjects that are located inside Europe. This will also prove that the data controllers and processor were complying with the protocols.

The existence of the Codes of conduct is necessary to ensure that the best way to comply when we talk about data processing is established at all times.

Certifications, Marks and Seals

There are also seals and marks which can also serve as the company’s proof to their potential clients that they have complied with the demands and rules of the GDPR.

The member states of the European Union will also issue an accredited certification to businesses that have complied with GDPR. The European Union Data Protection board also have the power to issue such certification.

Although these certifications are not necessarily mandatory, they can, however, give companies these two advantages:

  1. This can help data controllers and data processors prove that they are following the regulations in order to maintain compliance

  2. The importers of data that are located outside the European Union have respected Article 46 in terms of implementing measures.

The EDPB will provide a set of criteria that companies should meet in order to attain certification and will be disclosed to the public as a “medal of honour” for their dedication in maintaining compliance and in protecting the safety of data subjects thereby earning their respect and support.