EDPB adopts final Codes of Conduct guidelines

By Jaclyn Jaeger2019-06-11T14:09:00+01:00

No comments

The European Economic Area Data Protection Authorities and the European Data Protection Supervisor met for their eleventh plenary session on June 4, in which the European Data Protection Board (EDPB) adopted a final version of the guidelines on Codes of Conduct, as well as final versions of the annex to the guidelines on accreditation and certification.

The aim of the guidelines on Codes of Conduct, the EDPB said, is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the EU’s General Data Protection Regulation. “The guidelines intend to help clarify the procedures and the rules involved in the submission, approval, and publication of Codes of Conduct at both the national and the European level,” the EDPB said.

These guidelines should further act as a clear framework for all competent supervisory authorities, the EDPB, and the Commission to evaluate Codes of Conduct in a consistent manner and to streamline the procedures involved in the assessment process, the EDPB said.

Annex to guidelines on accreditation. At the eleventh plenary session, the EDPB also adopted a final version of the annex to the guidelines on accreditation, following public consultation, to enhance clarity. “The aim of the guidelines is to provide guidance on how to interpret and implement the provisions of Article 43 GDPR,” the EDPB said. “In particular, they aim to help member states, supervisory authorities, and national accreditation bodies establish a consistent and harmonized baseline for the accreditation of certification bodies that issue certification in accordance with the GDPR.”

“The annex provides guidance on the additional requirements for the accreditation of certification bodies to be established by the supervisory authorities. These additional requirements, before being adopted by supervisory authorities, are to be submitted to the EDPB for approval pursuant to Article 64(1)(c).”

Annex to the guidelines on certification. Following public consultation, the EDPB also adopted a final version of annex 2 to the guidelines on certification, expanding on certain sections—for example, whether the criteria address the obligation of the controller/processor to appoint a data protection officer and the obligation to keep records of the processing activities. The primary aim of these guidelines is to identify overarching criteria that may be relevant to all types of certification mechanisms issued in accordance with Article 42 and Article 43 of the GDPR.

“The annex identifies topics that data protection supervisory authorities and the EDPB will consider and apply for the approval of certification criteria for a certification mechanism,” the EDPB said. “The list is not exhaustive but presents the minimum topics to be considered.”

Websites

We are not responsible for the content of external sites

European Data Protection Board - Eleventh Plenary session

Jaclyn JaegerJaclyn Jaeger is a freelance contributor to Compliance Week after working for the company for 15 years. She writes on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact Editor in Chief Kyle Brasseur.

Blog
LEGO Group appoints chief sustainability officer

2023-09-28T20:04:00Z By CW Staff

The LEGO Group, a family-owned toy company, appointed Annette Stube as chief sustainability officer.
News Brief
Deutsche Bank unit fined $25M in ESG, AML settlements

2023-09-25T17:26:00Z By Kyle Brasseur

DWS Investment Management Americas agreed to pay $25 million in penalties across separate settlements with the Securities and Exchange Commission addressing alleged misstatements in environmental, social, and governance investments and anti-money laundering violations.
News Brief
3M to pay $9.6M over Iran sanctions lapses

2023-09-22T18:34:00Z By Jeff Dale

The Office of Foreign Assets Control ordered multinational conglomerate 3M to pay more than $9.6 million over apparent Iran sanctions violations by its subsidiary and a U.S. employee of a separate subsidiary.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from GDPR

Article
Four years of GDPR: New tech testing data privacy law’s longevity?

2022-05-25T15:52:00Z By Neil Hodge

It has been four years since the European Union’s flagship data privacy legislation came into force, but concerns are already being raised about whether the General Data Protection Regulation is being outpaced by technological developments and their use of data.
Article
Dissatisfaction with GDPR pushing EU countries toward local laws

2021-12-21T15:18:00Z By Neil Hodge

So far, Europe’s wide-reaching data privacy rules have seemingly failed to curb Big Tech firms’ use and abuse of citizens’ personal data. As a result, some EU data regulators are pursuing their own investigations—often through other legislation.
Article
CWE panel: GDPR ‘the start of a culture of data protection’

2021-11-15T21:50:00Z By Neil Hodge

Belgian Data Protection Authority head David Stevens and Member of European Parliament Axel Voss discussed ways the General Data Protection Regulation could be improved for the future during a keynote at CW’s virtual Europe event.