Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

SECTION 14  REVOCATION OF A MONITORING BODY

85. When a monitoring body does not comply with applicable provisions of the GDPR, a CompSA will also have the powers to revoke the accreditation of a monitoring body under Article 41(5). It is important that the code owner sets out in the Code suitable provisions to address a revocation scenario.

86. However, the consequences of revoking the accreditation of the sole monitoring body for a code may result in the suspension, or permanent withdrawal, of that code due to the loss of the required compliance monitoring. This may adversely affect the reputation or business interests of code members, and may result in a reduction of trust of data subjects or other stakeholders.

87. Where circumstances permit, revocation should only take place after the CompSA has given the monitoring body the opportunity to urgently address issues or make improvements as appropriate within an agreed timescale. In cases which involve transnational codes, the CompSA should, before agreeing to setting parameters with the monitoring body to address the issues raised, liaise with concerned SAs on the matter. The decision to revoke a monitoring body should also be communicated to all concerned SAs and the Board (for the purposes of Article 40 (11)).