According to the General Data Protection Regulation, a code of conduct is a set of guidelines that contribute to the companies or organisations that have adopted the code applying the General Data Protection Regulation's rules properly.
The guidelines in the code of conduct are to help ensure proper application of the General Data Protection Regulation's provisions by specifying how personal data may be processed in specific cases. This might for example involve establishing detailed procedures to be followed for a specific type of personal data processing.
A code of conduct may thus be used for a certain kind of personal data processing that is common within, for example, a particular, well-defined, sector. Adherence to a code of conduct is a way of demonstrating that the data controller or data processor fulfils its obligations under the General Data Protection Regulation.
It is important to be aware that adoption of or adherence to a code of conduct does not in itself constitute proof of compliance with the General Data Protection Regulation. This also means that adherence to a code of conduct does not free a data controller or data processor from its responsibilities under the General Data Protection Regulation. Application of a code of conduct can, however, affect for example the level of any fines that are imposed.
The Regulation also mentions certification mechanisms, seals and marks for data protection as possible ways for data controllers or processors to demonstrate that their processing of personal data complies with the Regulation.
Who can draw up a code of conduct?
According to the General Data Protection Regulation, a code of conduct can be devised by associations or other bodies that represent categories of data controllers or data processors. Professional associations and other trade associations, for example, can be considered to represent categories of data controllers or data processors.
Professional associations and organisations are particularly well suited to draw up codes of conduct since they can be assumed to have a thorough knowledge of what kind of personal data processing occurs in their industry. They should thus also know what particular challenges and particular issues are especially important to give guidance on to data controllers and data processors who are active in the industry in order to ensure proper application of the General Data Protection Regulation.
What can a code of conduct be used for?
A code of conduct can first and foremost specify the application of the General Data Protection Regulation for a specific industry or sector. Paragraphs (a) to (k) of Article 40.2 list what a code of conduct can specify. The examples are not exhaustive and a code of conduct does not need to contain guidance in all the areas listed.
- fair and transparent processing,
- the legitimate interests pursued by controllers in specific contexts,
- the collection of personal data,
- the pseudonymisation of personal data,
- the information provided to the public and to data subjects,
- the exercise of the rights of data subjects,
- the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained,
- the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32,
- the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects,
- the transfer of personal data to third countries or international organisations,
- out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
Different codes of conduct can thus focus on different provisions of the General Data Protection Regulation. In one industry the biggest challenge might be to determine what security measures need to be taken to protect the personal data that is processed while in another industry guidance is needed on what information is to be provided to he data subjects and in what way.
In addition to this, other provisions of the General Data Protection Regulation state that data controllers and data processors can use adherence to a code of conduct as a factor to demonstrate that they satisfy the Regulation's requirements, that adherence to a code of conduct can affect whether fines are to be imposed and the amount of any such fine.
How a code of conduct is devised and what the minimum requirements regarding its contents are
Before a code of conduct can be used to specify the application of the General Data Protection Regulation, it must have the Swedish Data Protection Authority's approval.
For a code of conduct to be approved it must satisfy a number of minimum requirements that together ensure that the code of conduct provides sufficient guarantees. The European Data Protection Board is developing an EU-wide guide concerning codes of conduct that will explain the minimum requirements regarding the content of a code of conduct. No precise date has yet been set for when the guide will be ready but the aim is that it will be available during autumn 2018.
The Swedish Data Protection Authority, meanwhile, can already today list some criteria that a code of conduct must satisfy for it to be considered to contain sufficient guarantees:
- A code of conduct must focus on a well-defined category of data controller or processor. It must thus clearly state what types of organisation or sector the code will apply in.
- A code of conduct must be aimed at specific, well-defined, kinds of processing that are typical for the above-stated categories of data controller and processor.
- A code of conduct must be prepared carefully. This includes holding consultations with the relevant stakeholders, including as far as possible the data subjects or their representatives.
Can we already today have a code of conduct approved by the Swedish Data Protection Authority?
Yes. It is possible to submit a code of conduct to the Swedish Data Protection Authority for approval under the General Data Protection Regulation. But the Swedish Data Protection Authority recommends entities that develop a code of conduct to wait for the EU-wide guide and ensure that their code complies with the guide before submitting it to us.
The actual issuing of a certification is to be handled by an accredited certification body. Who is to issue accreditation has not yet been decided but will probably be the Swedish Data Protection Authority or the national accreditation body Swedac.
The criteria upon which an accreditation body is to base its assessments are to be drawn up by the national supervisory authority, that is to say the Swedish Data Protection Authority. The Swedish Data Protection Authority is also to approve the criteria on which certification is based.
The certification process has not yet been defined. The Article 29 group is currently devising an EU-wide guide for certification. No precise date has yet been set for when the guide will be ready.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.