Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under the GDPR

SECTION 1  INTRODUCTION

1. Regulation 2016/679 (“the GDPR”) came into effect on 25 May 2018. One of the main objectives of the GDPR is to provide a consistent level of data protection throughout the European Union and to prevent divergences hampering the free movement of personal data within the internal market. The GDPR also introduces the principle of accountability, which places the onus on data controllers to be responsible for, and be able to demonstrate compliance with the Regulation. The provisions under Articles 40 and 41 of the GDPR in respect of codes of conduct (“codes”) represent a practical, potentially cost effective and meaningful method to achieve greater levels of consistency of protection for data protection rights. Codes can act as a mechanism to demonstrate compliance with the GDPR. Notably, they can help to bridge the harmonisation gaps that may exist between Member States in their application of data protection law. They also provide an opportunity for particular sectors to reflect upon common data processing activities and to agree to bespoke and practical data protection rules, which will meet the needs of the sector as well as the requirements of the GDPR.

2. Member States, Supervisory Authorities, the European Data Protection Board (“the Board”) and the European Commission (“the Commission”) are obliged to encourage the drawing up of codes to contribute to the proper application of the Regulation. These guidelines will support and facilitate “code owners” in drafting, amending or extending codes.