CoC: Code of Conduct
What is a CoC and who needs it?
The EU General Data Protection Regulation (EU-GDPR), which came into effect this year on May 25, gives associations and parent organizations a tool for centralizing data protection for their subsidiary organizations.
“Codes of Conduct” were created in Art. 40 EU GDPR for this purpose. The term “Code of Conduct” (CoC) in English has now been adopted in international usage and by our own authorities.
What does this mean?
Associations and parent organizations can familiarize their subsidiaries specifically with the requirements of data protection. To do so, they create individual codes of conduct, which are audited and approved by the respective national authority.
In this way, they have their own officially approved code of conduct, which they then provide to their subsidiary organizations as instructions. Especially for German associations, this is an attractive way to create the required legal certainty and reduce liability from data protection.
The EU General Data Protection Regulation (EU-GDPR), which came into effect this year on May 25, gives associations and parent organizations a tool for centralizing data protection for their subsidiary organizations.
“Codes of Conduct” were created in Art. 40 EU GDPR for this purpose. The term “Code of Conduct” (CoC) in English has now been adopted in international usage and by our own authorities.
What does this mean?
Associations and parent organizations can familiarize their subsidiaries specifically with the requirements of data protection. To do so, they create individual codes of conduct, which are audited and approved by the respective national authority.
In this way, they have their own officially approved code of conduct, which they then provide to their subsidiary organizations as instructions. Especially for German associations, this is an attractive way to create the required legal certainty and reduce liability from data protection.
Codes of conduct Article 40 EUDataP
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3, provides appropriate safeguards.
8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3, provides appropriate safeguards.
8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
Monitoring of approved codes of conduct Article 40 EUDataP
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has: (a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
3. The competent supervisory authority shall submit the draft requirements for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
5. The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
6. This Article shall not apply to processing carried out by public authorities and bodies.
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has: (a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
3. The competent supervisory authority shall submit the draft requirements for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
5. The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
6. This Article shall not apply to processing carried out by public authorities and bodies.
Historical background
IITR Datenschutz GmbH presented a Code of Conduct to the public for the first time in April 2010 so website operators could credibly and clearly demonstrate privacy compliance. This data protection code has been in high demand.
Gaining an edge with the data protection code
Establishing a data protection code could be beneficial when companies headquartered in third states adopt it. By agreeing to and recognizing their data protection code, such companies become subject to the nationally organized “fine enforcement system” for this data protection code. A consumer can file a direct appeal to the issuing German association for violation of its data protection code and does not have to contact a supervisory authority, for instance, in the US.
IITR Datenschutz GmbH presented a Code of Conduct to the public for the first time in April 2010 so website operators could credibly and clearly demonstrate privacy compliance. This data protection code has been in high demand.
Gaining an edge with the data protection code
Establishing a data protection code could be beneficial when companies headquartered in third states adopt it. By agreeing to and recognizing their data protection code, such companies become subject to the nationally organized “fine enforcement system” for this data protection code. A consumer can file a direct appeal to the issuing German association for violation of its data protection code and does not have to contact a supervisory authority, for instance, in the US.
Steps toward a continuously valid Code of Conduct
Part 1: Transparency in data protection: Compliance with legal regulations in which important privacy law parameters are repeated for website operators and examples are given, and
Part 2: Voluntary obligation: Transparent handling of personal data in which website operators commit to transparent and reasonable handling of customer data above and beyond the directly applicable legal regulations.
As a result, our data protection code also serves as a summary of privacy law issues that are relevant to website operators. The seal of the data protection code has created trust for customers of website operators and also satisfied the conditions of a Code of Conduct under Sec. 2 (1) no. 5 German Unfair Competition Act, providing both website operators and customers with a reliable legal framework for complying with the code.
Overall, the product included:
• Code seal
• Manual
• Code email
Part 1: Transparency in data protection: Compliance with legal regulations in which important privacy law parameters are repeated for website operators and examples are given, and
Part 2: Voluntary obligation: Transparent handling of personal data in which website operators commit to transparent and reasonable handling of customer data above and beyond the directly applicable legal regulations.
As a result, our data protection code also serves as a summary of privacy law issues that are relevant to website operators. The seal of the data protection code has created trust for customers of website operators and also satisfied the conditions of a Code of Conduct under Sec. 2 (1) no. 5 German Unfair Competition Act, providing both website operators and customers with a reliable legal framework for complying with the code.
Overall, the product included:
• Code seal
• Manual
• Code email
How can we support you?
IITR Datenschutz GmbH specializes in data protection and supports companies and organizations in their effort to manage all privacy law requirements. Our experience allows us to draft a code of conduct tailored to your organization and to obtain approval for it from the national authority with jurisdiction for your registered office by coordinating with all German national authorities.
We can create a code of conduct tailored to your specific needs and would be happy to hear from you.
IITR Datenschutz GmbH specializes in data protection and supports companies and organizations in their effort to manage all privacy law requirements. Our experience allows us to draft a code of conduct tailored to your organization and to obtain approval for it from the national authority with jurisdiction for your registered office by coordinating with all German national authorities.
We can create a code of conduct tailored to your specific needs and would be happy to hear from you.