On March 4, 2022, the European Data Protection Board (EDPB) announced that it had adopted its final guidelines on codes of conduct for data transfers under the GDPR. The guidelines adopted by the EDPB provide clarification on the use of codes of conduct under Article 40(3) and Article 46(2)(e) of the GDPR including the different actors involved in the development of different codes of conduct, what should be included in codes of conduct for data transfers, and the processes for adopting codes of conduct.
The latest EDPB guidelines seek to complement and clarify the Guidelines on Codes of Conduct and Monitoring Bodies under the GDPR by including a checklist detailing what should be included in codes of conduct for data transfers as well as flowcharts outlining the adoption and amendment processes for codes of conduct.
Download the eBook: Understanding data transfers under the GDPR eBook
What are codes of conduct for data transfers?
Article 46 of the GDPR outlines that, in the absence of an adequacy decision, data controllers and data processors may transfer personal data to a third country subject to appropriate safeguards. More specifically, Article 46(2)(e) states that codes of conduct, approved by the relevant supervisory authority in line with Article 40, can be used to provide a binding and enforceable commitment between the data controller and the data processor to ensure adequate measures are taken to protect personal data during third-country data transfers. The EDPB guidelines highlight that the binding commitment entered into by both parties can be made through a contract or other legally binding instrument.
GDPR codes of conduct represent a broad mechanism that can be used to define a set of rules related to the processing of personal data. Codes of conduct are typically prepared by an entity, association, or federation that represent large categories of data controllers and data processors, such as industry-specific associations or trade groups. This allows a degree of flexibility for intra-industry data flows provided data controllers and data processors adhere to approved codes of conduct.
In its guidelines, the EDPB describes a scenario where a cloud service provider in a third country with no EU presence is contracted by a data controller based in the EU. In this instance it is more appropriate in terms of GDPR compliance for the cloud service provider to frame its data transfers under an approved code of conduct as it has no presence in the EU, nor is it part of the wider group of undertakings based in the EU. This means that it would be unable to rely on transfer mechanisms such as Binding Corporate Rules (BCRs). In this same scenario, the broad set of rules that are outlined in approved codes of conduct makes them a practical alternative to Standard Contractual Clauses (SCCs) which only apply to the specific data processing activities agreed upon entry into the contract between the data controller and data processor. Therefore, for each new processing activity between the data controller and the data processor, a new contract would need to be drawn up.
What parties are responsible for developing codes of conduct and what are their roles?
The EDPB guidelines highlight the five actors involved in the process of developing, monitoring, and approving codes of conduct, each with its role to play.
Annex 1a – Adoption of a Transnational Code Intended for Transfers
Source: European Data Protection Board Guidelines 04/2021 on Codes of Conduct as tools for transfers
Annex 1b – Amendments to a Transnational Code to be Used as a Code Intended for Transfers
Source: European Data Protection Board Guidelines 04/2021 on Codes of Conduct as tools for transfers
What should be included in codes of conduct?
The EDPB guidelines on codes of conduct for data transfers summarize the elements that need to be included in a proposed code of conduct for it to ensure it provides a level of personal data proception consistent with other transfers tools listed under Article 46 of the GDPR. The EDPB guidelines also take into account the CJEU’s decision in the Schrems II case and include the relevant supplementary measures that must be considered in any code of conduct for data transfers. A code of conduct intended for transfers should include the following:
Next steps
The EDPB’s final guidelines on codes of conduct as a transfer tool were adopted on February 22, 2022, following a public consultation. The guidelines should now bring clarity to the application of Articles 40(3) and 46(2)(e) of the GDPR and allow for the use of codes of conduct to be adopted in compliance with the regulation.