Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR
Section 12.1 Independence
63. The code owners will need to demonstrate that the body concerned is appropriately independent in relation to its impartiality of function from the code members and the profession, industry or sector to which the code applies. Independence could be evidenced through a number of areas such as the monitoring body’s funding, appointment of members/staff, decision making process and more generally in terms of its organisational structure. These are considered in more detail below.
64. There are two main models of monitoring which could be used by code owners for fulfilling the monitoring body requirements: external and internal monitoring body. There is some flexibility within these two types of monitoring approaches and different versions could be proposed which are appropriate given the context for the code. Examples of internal monitoring bodies could include an ad hoc internal committee or a separate, independent department within the code owner. It will be for the code owners to explain the risk management approach with regard to its impartiality and independence.
65. For instance, where an internal monitoring body is proposed, there should be separate staff and management, accountability and function from other areas of the organisation. This may be achieved in a number of ways, for example, the use of effective organisational and information barriers and separate reporting management structures for the association and monitoring body. Similar to a data protection officer, the monitoring body should be able to act free from instructions and shall be protected from any sort of sanctions or interference (whether direct or indirect) as a consequence of the fulfilment of its task.
66. Independence could require that an external counsel or other party having participated in the drafting of the code of conduct, would need to demonstrate that there were appropriate safeguards in place to sufficiently mitigate a risk of independence or a conflict of interest. The monitoring body would need to provide evidence as to the appropriateness of the mechanisms which would satisfactorily identify and mitigate such risks. A monitoring body will need to identify risks to its impartiality on an ongoing basis, such as its activities or from its relationships. If a risk to impartiality is identified, the monitoring body should demonstrate how it removes or minimises such risk and uses an appropriate mechanism for safeguarding impartiality.
67. Independence could also be demonstrated by showing full autonomy for the management of the budget and other resources, in particular in cases where the monitoring body is internal. A monitoring body would also need to be able to act independently in its choice and application of sanctions against a controller or processor adhering to the code. In essence, the body – either internal or external – will need to act independently from code owners and members within the scope of the code in performing its tasks and exercising its powers.