Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

Section 6.3  Specifies the application of the GDPR

36. Codes will need to specify the practical application of the GDPR and accurately reflect the nature of the processing activity or sector. They should be able to provide clear industry specificim provements in terms of compliance with data protection law. Codes will need to set out realistic and attainable standards for all their members, and they will need to be of a necessary quality and internal consistency to provide sufficient added value. In other words, a draft code will need to be adequately focused on particular data protection areas and issues in the specific sector to which it applies and it will need to provide sufficiently clear and effective solutions to address those areas and issues.

37. A code should not just re-state the GDPR. Instead, it should aim to codify how the GDPR shall apply in a specific, practical and precise manner. The agreed standards and rules will need to be unambiguous, concrete, attainable and enforceable (testable). Setting out distinct rules in the particular field is an acceptable method by which a code can add value. Using terminology that is unique and relevant to the industry and providing concrete case scenarios or specific examples of ‘best practice’ may help to meet this requirement

38. Outlining plans to promote the approved code so individuals are informed of its existence and contents may also assist in reaching the standard of “specifying the application of the GDPR”. It isvital that codes are able to provide operational meaning to the principles of data protection as articulated in Article 5 of the GDPR. It is also vital that codes properly take into account relevant opinions and positions published or endorsed by the Board to that particular sector or processing activity.

For example, codes containing specifications with regard to processing activities, might also facilitate the identification of adequate legal grounds for these processing activities in the Member States to which they intend to apply.