The European Economic Area Data Protection Authorities and the European Data Protection Supervisor met for their eleventh plenary session on June 4, in which the European Data Protection Board (EDPB) adopted a final version of the guidelines on Codes of Conduct, as well as final versions of the annex to the guidelines on accreditation and certification.

The aim of the guidelines on Codes of Conduct, the EDPB said, is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the EU’s General Data Protection Regulation. “The guidelines intend to help clarify the procedures and the rules involved in the submission, approval, and publication of Codes of Conduct at both the national and the European level,” the EDPB said.

These guidelines should further act as a clear framework for all competent supervisory authorities, the EDPB, and the Commission to evaluate Codes of Conduct in a consistent manner and to streamline the procedures involved in the assessment process, the EDPB said.

Annex to guidelines on accreditation. At the eleventh plenary session, the EDPB also adopted a final version of the annex to the guidelines on accreditation, following public consultation, to enhance clarity. “The aim of the guidelines is to provide guidance on how to interpret and implement the provisions of Article 43 GDPR,” the EDPB said. “In particular, they aim to help member states, supervisory authorities, and national accreditation bodies establish a consistent and harmonized baseline for the accreditation of certification bodies that issue certification in accordance with the GDPR.”

“The annex provides guidance on the additional requirements for the accreditation of certification bodies to be established by the supervisory authorities. These additional requirements, before being adopted by supervisory authorities, are to be submitted to the EDPB for approval pursuant to Article 64(1)(c).”

Annex to the guidelines on certification. Following public consultation, the EDPB also adopted a final version of annex 2 to the guidelines on certification, expanding on certain sections—for example, whether the criteria address the obligation of the controller/processor to appoint a data protection officer and the obligation to keep records of the processing activities. The primary aim of these guidelines is to identify overarching criteria that may be relevant to all types of certification mechanisms issued in accordance with Article 42 and Article 43 of the GDPR.

“The annex identifies topics that data protection supervisory authorities and the EDPB will consider and apply for the approval of certification criteria for a certification mechanism,” the EDPB said. “The list is not exhaustive but presents the minimum topics to be considered.”