Codes of conduct and certification

According to the General Data Protection Regulation, a code of conduct is a set of guidelines that contribute to the companies or organisations that have adopted the code applying the General Data Protection Regulation's rules properly.

The guidelines in the code of conduct are to help ensure proper application of the General Data Protection Regulation's provisions by specifying how personal data may be processed in specific cases. This might for example involve establishing detailed procedures to be followed for a specific type of personal data processing.

A code of conduct may thus be used for a certain kind of personal data processing that is common within, for example, a particular, well-defined, sector. Adherence to a code of conduct is a way of demonstrating that the data controller or data processor fulfils its obligations under the General Data Protection Regulation.

It is important to be aware that adoption of or adherence to a code of conduct does not in itself constitute proof of compliance with the General Data Protection Regulation. This also means that adherence to a code of conduct does not free a data controller or data processor from its responsibilities under the General Data Protection Regulation. Application of a code of conduct can, however, affect for example the level of any fines that are imposed.

The Regulation also mentions certification mechanisms, seals and marks for data protection as possible ways for data controllers or processors to demonstrate that their processing of personal data complies with the Regulation.

Who can draw up a code of conduct?

According to the General Data Protection Regulation, a code of conduct can be devised by associations or other bodies that represent categories of data controllers or data processors. Professional associations and other trade associations, for example, can be considered to represent categories of data controllers or data processors.

Professional associations and organisations are particularly well suited to draw up codes of conduct since they can be assumed to have a thorough knowledge of what kind of personal data processing occurs in their industry. They should thus also know what particular challenges and particular issues are especially important to give guidance on to data controllers and data processors who are active in the industry in order to ensure proper application of the General Data Protection Regulation.

What can a code of conduct be used for?

A code of conduct can first and foremost specify the application of the General Data Protection Regulation for a specific industry or sector. Paragraphs (a) to (k) of Article 40.2 list what a code of conduct can specify. The examples are not exhaustive and a code of conduct does not need to contain guidance in all the areas listed.

• fair and transparent processing,
• the legitimate interests pursued by controllers in specific contexts,
• the collection of personal data,
• the pseudonymisation of personal data,
• the information provided to the public and to data subjects,
• the exercise of the rights of data subjects,
• the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained,
• the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32,
• the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects,
• the transfer of personal data to third countries or international organisations,
• out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

Different codes of conduct can thus focus on different provisions of the General Data Protection Regulation. In one industry the biggest challenge might be to determine what security measures need to be taken to protect the personal data that is processed while in another industry guidance is needed on what information is to be provided to he data subjects and in what way.

In addition to this, other provisions of the General Data Protection Regulation state that data controllers and data processors can use adherence to a code of conduct as a factor to demonstrate that they satisfy the Regulation's requirements, that adherence to a code of conduct can affect whether fines are to be imposed and the amount of any such fine.

How a code of conduct is devised and what the minimum requirements regarding its contents are

Before a code of conduct can be used to specify the application of the General Data Protection Regulation, it must have Swedish Authority for Privacy Protection's approval.

For a code of conduct to be approved it must satisfy a number of minimum requirements that together ensure that the code of conduct provides sufficient guarantees. In order for a code to be approved, a monitoring body must be identified and accredited by the Swedish Authority for Privacy Protection as being capable of effectively monitoring the code. The criteria upon which the accreditation is being issued are to be drawn up by Swedish Authority for Privacy Protection authority.

The criteria that a code of conduct must satisfy for it to be considered to contain sufficient guarantees are:

• A code of conduct must meet a particular need.
• A code of conduct must facilitate the effective application of the GDPR.
• A code of conduct must specify the application of the GDPR.
• A code of conduct must provide sufficient safeguards.
• A code of conduct must provide mechanisms which will allow for effective oversight.

Certification

The actual issuing of a certification is to be handled by an accredited certification body. The national accreditation body Swedac is to issue accreditation.

The criteria upon which an the accreditation body is to base its assessments are to be drawn up by the national supervisory authority, that is to say Swedish Authority for Privacy Protection. Swedish Authority for Privacy Protection is also to approve the criteria on which certification is based.

The European Data Protection Board has developed guidelines on certification and certification criteria (2) and on the accreditation of certification bodies (3) .
ion is based.

Footnotes

(1) The European Data Protection Board has developed an EU-wide guide concerning codes of conduct that lists the minimum requirements regarding the content of a code of conduct 
(2) Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation - version adopted after public consultation | European Data Protection Board (europa.eu)
(3) Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) | European Data Protection Board (europa.eu)