EDPB adopts final Codes of Conduct guidelines

By Jaclyn Jaeger2019-06-11T14:09:00+01:00

No comments

The European Economic Area Data Protection Authorities and the European Data Protection Supervisor met for their eleventh plenary session on June 4, in which the European Data Protection Board (EDPB) adopted a final version of the guidelines on Codes of Conduct, as well as final versions of the annex to the guidelines on accreditation and certification.

The aim of the guidelines on Codes of Conduct, the EDPB said, is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the EU’s General Data Protection Regulation. “The guidelines intend to help clarify the procedures and the rules involved in the submission, approval, and publication of Codes of Conduct at both the national and the European level,” the EDPB said.

These guidelines should further act as a clear framework for all competent supervisory authorities, the EDPB, and the Commission to evaluate Codes of Conduct in a consistent manner and to streamline the procedures involved in the assessment process, the EDPB said.

Annex to guidelines on accreditation. At the eleventh plenary session, the EDPB also adopted a final version of the annex to the guidelines on accreditation, following public consultation, to enhance clarity. “The aim of the guidelines is to provide guidance on how to interpret and implement the provisions of Article 43 GDPR,” the EDPB said. “In particular, they aim to help member states, supervisory authorities, and national accreditation bodies establish a consistent and harmonized baseline for the accreditation of certification bodies that issue certification in accordance with the GDPR.”

“The annex provides guidance on the additional requirements for the accreditation of certification bodies to be established by the supervisory authorities. These additional requirements, before being adopted by supervisory authorities, are to be submitted to the EDPB for approval pursuant to Article 64(1)(c).”

Annex to the guidelines on certification. Following public consultation, the EDPB also adopted a final version of annex 2 to the guidelines on certification, expanding on certain sections—for example, whether the criteria address the obligation of the controller/processor to appoint a data protection officer and the obligation to keep records of the processing activities. The primary aim of these guidelines is to identify overarching criteria that may be relevant to all types of certification mechanisms issued in accordance with Article 42 and Article 43 of the GDPR.

“The annex identifies topics that data protection supervisory authorities and the EDPB will consider and apply for the approval of certification criteria for a certification mechanism,” the EDPB said. “The list is not exhaustive but presents the minimum topics to be considered.”

Websites

We are not responsible for the content of external sites

European Data Protection Board - Eleventh Plenary session

Jaclyn JaegerJaclyn Jaeger is an editor with Compliance Week and has written on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.

Topics

No comments

Webcast
CPE Webcast: Right to be forgotten versus need for backups
2020-11-24T14:00:00ZProvided by Archive 360
Do the EUs GDPR and California’s CCPA privacy regulations include the right of a data subject to have their personal information completely erased from all enterprise backups as well?
Article
Hanna Andersson agrees to pay $400K in CCPA-related breach lawsuit
2020-11-23T21:41:00Z
Children’s clothing retailer Hanna Andersson has agreed to pay $400,000 in what is believed to be the first monetary settlement for a lawsuit related to the California Consumer Privacy Act.
Article
Vodafone Italy fined $14.5M under GDPR for telemarketing tactics
2020-11-23T19:37:00Z
The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation for aggressive telemarketing practices.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More GDPR

Article
WhatsApp Ireland reserves $91.8M for potential GDPR fine
2020-11-20T19:17:00Z
The Irish arm of WhatsApp has set aside $91.8 million for possible administrative fines arising from long-standing investigations by Ireland’s data regulator into the way the messaging platform shares data with Facebook.
Article
German court cuts 1 & 1 Telecom GDPR fine by 90 percent
2020-11-16T18:23:00Z
Continuing a recent trend of massive fine reductions under the General Data Protection Regulation, 1 1 Telecom in Germany had its €9.55 million penalty issued last year reduced to €900,000 (U.S. $1.06 million) by a German court.
Article
BA, Marriott fine reductions latest wrench in GDPR enforcement harmony
2020-11-10T18:03:00Z
Lack of clarity on fines has dogged the GDPR since it took effect in May 2018, and the recent dramatic penalty reductions handed down by the U.K. in the cases of British Airways and Marriott certainly won’t help.

Membership exclusive: Carnival compliance case study

EDPB adopts final Codes of Conduct guidelines

Websites

European Data Protection Board - Eleventh Plenary session

Topics

Related articles

CPE Webcast: Right to be forgotten versus need for backups

Hanna Andersson agrees to pay $400K in CCPA-related breach lawsuit

Vodafone Italy fined $14.5M under GDPR for telemarketing tactics

No comments yet

Only registered users can comment on this article.

More GDPR

WhatsApp Ireland reserves $91.8M for potential GDPR fine

German court cuts 1 & 1 Telecom GDPR fine by 90 percent

BA, Marriott fine reductions latest wrench in GDPR enforcement harmony