Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

SECTION 11  MONITORING OF A CODE

60. In order for a code (national or transnational) to be approved, a monitoring body (or bodies), must be identified as part of the code and accredited by the CompSA as being capable of effectively monitoring the code. The CompSA will submit its draft requirements for accreditation of amonitoring body to the Board pursuant to the consistency mechanism referred to in Article 63 of the GDPR. Once approved by the Board the requirements can then be applied by the CompSA to accredit a monitoring body.

61. The GDPR does not define the term ‘accreditation’. However, Article 41(2) of the GDPR outlines general requirements for the accreditation of the monitoring body. There are a number of requirements which should be met in order to satisfy the CompSA to accredit a monitoring body. Code owners will need to explain and demonstrate how their proposed monitoring body meets the requirements set out in Article 41(2) to obtain accreditation.

62. The GDPR provides flexibility around the type and structure of a monitoring body to be accredited under Article 41. Code owners may decide to use external or internal monitoring bodies provided that in both cases the relevant body meets the accreditation requirements of Article 41(2) as outlined in the eight requirements listed below. (see up to and including sections 12.1 – 12.8)