Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

Section 1.1  Scope of these guidelines

3. The aim of these guidelines is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the GDPR. They are intended to help clarify the procedures and the rules involved in the submission, approval and publication of codes at both a National and European level. They intend to set out the minimum criteria required by a Competent Supervisory Authority (“CompSA”) before accepting to carry out an in depth review and evaluation of a code. Further, they intend to set out the factors relating to the content to be taken into account when evaluating whether a particular code provides and contributes to the proper and effective application of the GDPR. Finally, they intend to set out the requirements for the effective monitoring of compliance with a code.

4. These guidelines should also act as a clear framework for all CompSAs, the Board and the Commission to evaluate codes in a consistent manner and to streamline the procedures involved in the assessment process. This framework should also provide greater transparency, ensuring that code owners who intend to seek approval for a code are fully conversant with the process and understand the formal requirements and the appropriate thresholds required for approval.

5. Guidance on codes of conduct as a tool for transfers of data as per Article 40 (3) of the GDPR will be considered in separate guidelines to be issued by the EDPB.

6. All codes previously approved will need to be reviewed and re-evaluated in line with therequirements of the GDPR and then resubmitted for approval as per the requirements of Articles 40 and 41 and as per the procedures outlined in this document.