Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

Section 12.5  Transparent complaints handling

74. A monitoring body will need to establish effective procedures and structures which can deal with complaints handling in an impartial and transparent manner. As such, it needs to have a publicly accessible complaints handling process which is sufficiently resourced to manage complaints and to ensure that decisions of the body are made publicly available.

For example, evidence of a complaints handling procedure could be a described process to receive, evaluate, track, record and resolve complaints. This could be outlined in publicly available guidance for the code so that a complainant can understand and follow the complaints process. Furthermore, the independence of such processes could be assisted by separate operational staff and management functions in the monitoring body.

75. Monitoring bodies should also have effective procedures to ensure compliance with the code by controllers or processors. An example would be to give the monitoring body powers to suspend or exclude a controller or processor from the code when it acts outside the terms of the code (i.e.corrective measures).

76. If a code member breaks the rules of the code, the monitoring body is obliged to take immediate suitable measures. The aim of suitable corrective measures will be to stop the infringement and to avoid future recurrence. Such remedial actions and sanctions could include such measures ranging from training to issuing a warning, report to the Board of the member, a formal notice requiring the implementation of specific actions within a specified deadline, temporary suspension of the member from the code until remedial action is taken to the definitive exclusion of such member from the code. These measures could be publicised by the monitoring body, especially where there are serious infringements of the code.

77. Where required, the monitoring body should be able to inform the code member, the code owner, the CompSA and all concerned SAs about the measures taken and its justification without undue delay. Moreover, in the case where a Lead Supervisory Authority (LSA) for a transnational code member is identifiable, the monitoring body should also appropriately inform the LSA as to its actions.