Skip to main content

On-demand webinar coming soon...

Blog

European Data Protection Board adopts guidelines on codes of conduct

March 9, 2022

A orange gradient background image.

On March 4, 2022, the European Data Protection Board (EDPB) announced that it had adopted its final guidelines on codes of conduct for data transfers under the GDPR. The guidelines adopted by the EDPB provide clarification on the use of codes of conduct under Article 40(3) and Article 46(2)(e) of the GDPR including the different actors involved in the development of different codes of conduct, what should be included in codes of conduct for data transfers, and the processes for adopting codes of conduct.

The latest EDPB guidelines seek to complement and clarify the Guidelines on Codes of Conduct and Monitoring Bodies under the GDPR by including a checklist detailing what should be included in codes of conduct for data transfers as well as flowcharts outlining the adoption and amendment processes for codes of conduct.

Download the eBook: Understanding data transfers under the GDPR eBook

What are codes of conduct for data transfers?

Article 46 of the GDPR outlines that, in the absence of an adequacy decision, data controllers and data processors may transfer personal data to a third country subject to appropriate safeguards. More specifically, Article 46(2)(e) states that codes of conduct, approved by the relevant supervisory authority in line with Article 40, can be used to provide a binding and enforceable commitment between the data controller and the data processor to ensure adequate measures are taken to protect personal data during third-country data transfers. The EDPB guidelines highlight that the binding commitment entered into by both parties can be made through a contract or other legally binding instrument.

GDPR codes of conduct represent a broad mechanism that can be used to define a set of rules related to the processing of personal data. Codes of conduct are typically prepared by an entity, association, or federation that represent large categories of data controllers and data processors, such as industry-specific associations or trade groups. This allows a degree of flexibility for intra-industry data flows provided data controllers and data processors adhere to approved codes of conduct.

In its guidelines, the EDPB describes a scenario where a cloud service provider in a third country with no EU presence is contracted by a data controller based in the EU. In this instance it is more appropriate in terms of GDPR compliance for the cloud service provider to frame its data transfers under an approved code of conduct as it has no presence in the EU, nor is it part of the wider group of undertakings based in the EU. This means that it would be unable to rely on transfer mechanisms such as Binding Corporate Rules (BCRs). In this same scenario, the broad set of rules that are outlined in approved codes of conduct makes them a practical alternative to Standard Contractual Clauses (SCCs) which only apply to the specific data processing activities agreed upon entry into the contract between the data controller and data processor. Therefore, for each new processing activity between the data controller and the data processor, a new contract would need to be drawn up.

What parties are responsible for developing codes of conduct and what are their roles?

The EDPB guidelines highlight the five actors involved in the process of developing, monitoring, and approving codes of conduct, each with its role to play.

  • Code Owners – The entity that prepares a code of conduct or makes amendments to an approved code of conduct. Code owners also submit the code of conduct to the relevant supervisory authority for approval.
  • Monitoring Bodies – Each code of conduct needs to include details of a monitoring body that will need to be accredited by the supervisory authority. The monitoring body is responsible for ensuring third-country data controllers and data processors adhere to the code of conduct. As such, the monitoring body should be capable of monitoring the code of conduct effectively.
  • Supervisory Authorities – The role of the supervisory authority concerning codes of conduct is to consider and approve proposed codes of conduct as well as accrediting monitoring bodies.
  • EDPB – The EDPB is required to provide an opinion on draft decisions made by supervisory authorities relating to a proposed code of conduct or amendment to the existing approved code of conduct.
  • European Commission – The European Commission may adopt an approved code of conduct for general validity in the European Union. Only codes of conduct that have been granted general validity may be relied upon for framing transfers.

Annex 1a – Adoption of a Transnational Code Intended for Transfers

Source: European Data Protection Board Guidelines 04/2021 on Codes of Conduct as tools for transfers

Annex 1b – Amendments to a Transnational Code to be Used as a Code Intended for Transfers

Source: European Data Protection Board Guidelines 04/2021 on Codes of Conduct as tools for transfers

What should be included in codes of conduct?

The EDPB guidelines on codes of conduct for data transfers summarize the elements that need to be included in a proposed code of conduct for it to ensure it provides a level of personal data proception consistent with other transfers tools listed under Article 46 of the GDPR. The EDPB guidelines also take into account the CJEU’s decision in the Schrems II case and include the relevant supplementary measures that must be considered in any code of conduct for data transfers. A code of conduct intended for transfers should include the following:

  • A description of the data transfers
    • nature of data transferred
    • categories of data subjects
    • import/export countries, etc.
  • A description of the data protection principles to be complied with
    • transparency
    • fairness and lawfulness,
    • purpose limitation
    • data minimization
    • accuracy, etc.
  • The measures taken to comply with the accountability principle
  • Demonstration of appropriate governance through DPOs or privacy staff responsible for compliance with data protection obligations resulting from the code
  • Existence of a suitable data protection training program
  • Existence of a data protection audit conducted by either internal or external auditors or another internal mechanism for monitoring compliance
  • The measures taken to comply with the transparency principle
  • The provision of data subject rights
    • Right to access
    • Right to rectification
    • Right to erasure
    • Right to object, etc.
  • Existence of an appropriate complaint handling maintained by the monitoring body
  • A guarantee that the third-country data controller or data processor has no reasons to believe that the legal framework in the third country will prevent it from fulfilling its obligations under the
  • Mechanisms for dealing with amendments to the code
  • Consequences of withdrawal from the code
  • Commitments for the code member and monitoring body to cooperate with supervisory authorities in the EEA
  • A commitment that the code member accepts is subject to the jurisdiction of EEA supervisory authorities to ensure compliance with the code of conduct and EEA courts.
  • An outline of the selection criteria for the monitoring body of the code

Next steps

The EDPB’s final guidelines on codes of conduct as a transfer tool were adopted on February 22, 2022, following a public consultation. The guidelines should now bring clarity to the application of Articles 40(3) and 46(2)(e) of the GDPR and allow for the use of codes of conduct to be adopted in compliance with the regulation.

 


You may also like

Webinar

Privacy Management

Revisiting IAPP DPC 2024: Top trends on the latest data protection developments

Join OneTrust and PA Consulting as we dive deeper into the key takeaways from the IAPP Europe Data Protection Congress 2024. Our speakers will provide actionable insights from the event on the latest developments in data protection, privacy, and AI. 

December 12, 2024

Learn more

Webinar

Privacy Automation

PIA and DPIA demo webinar with Data Privacy Group

Join our webinar to learn the benefits of automating your PIAs and DPIAs using the OneTrust platform

November 28, 2024

Learn more

eBook

Consent & Preferences

Mastering GDPR consent: A marketer's guide to simplifying compliance

Learn how to simplify GDPR consent management, stay compliant, and build trust with your audience. Download this practical guide for marketers.

October 17, 2024

Learn more

eBook

Privacy Management

Maturing your GDPR compliance program

This comprehensive eBook explores the key elements of a GDPR compliance program.

September 11, 2024

Learn more

eBook

Privacy Management

Understanding data transfers under the GDPR ebook

In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.

June 05, 2024

Learn more

Webinar

Privacy Management

Preparing for a new regulation: Lesson learned from the GDPR businesses can apply to the EU AI act?

Join our panel of experts as we celebrate GDPR Anniversary and take a closer look at the relationship between the GDPR and AI Act.

May 23, 2024

Learn more

Webinar

Privacy Management

Navigating data privacy in 2024: Global regulatory updates & compliance strategies

Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.

March 20, 2024

Learn more

Infographic

Privacy Management

OneTrust announces partnership with Europrivacy

Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.

December 06, 2023

Learn more

Webinar

Technology Risk & Compliance

Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal

Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.

November 30, 2023

Learn more

Webinar

Privacy Management

Revisiting the ICO Data Protection Practitioner's Conference: Addressing your top challenges

Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.

October 25, 2023

Learn more

Infographic

Privacy & Data Governance

Understanding the EU Data Boundary

Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.

September 22, 2023

Learn more

Webinar

Privacy Management

Privacy in practice: PIA & DPIA with PA Consulting

Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

September 21, 2023

Learn more

Webinar

Privacy & Data Governance

Privacy in practice for data mapping: With PA Consulting and Syngenta

Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.

September 14, 2023

Learn more

Webinar

Governance & Policy Management

EU-US DPF: What next for UK businesses?

Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.

September 06, 2023

Learn more

Webinar

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more

Infographic

Privacy & Data Governance

The 3 priorities of the French DPO: Gain visibility, take action, automate

Download our infographic and learn about the 3 priorities of the French DPO.

May 30, 2023

Learn more

Webinar

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Tech: Key considerations of Privacy by Design and AI in tech

Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.

May 25, 2023

Learn more

Webinar

Privacy Management

5 years of GDPR: Milestones, challenges, and opportunities

Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

May 24, 2023

Learn more

Webinar

Privacy & Data Governance

Global Panel — GDPR & Healthcare: current regulatory guidance and enforcement

In this live webinar, our expert panel examines the first five years of the GDPR, how it changed the healthcare industry, and the changing global regulatory landscape.

May 24, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Retail: building customer loyalty and trust with consent and privacy

Join us for a live panel as we discuss GDPR's impact on the retail and eCommerce industry and how companies evolved to meet the global regulatory landscape.

May 23, 2023

Learn more

eBook

Privacy Management

Getting started with GDPR compliance

This eBook covers the fundamental information you need to know in order to get your GDPR compliance program started and how OneTrust helps. 

May 23, 2023

Learn more

Infographic

Privacy Management

Comparing the FADP, Revised FADP, and the GDPR

Download our infographic to see how the Revised FADP compares with its original version and the GDPR.

May 23, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Finance: Staying ahead of the regulatory and cyber landscape

How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.

May 22, 2023

Learn more

Webinar

Privacy Automation

OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

April 04, 2023 1 min read

Learn more

eBook

Privacy Management

The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

February 21, 2023

Learn more

Webinar

Privacy & Data Governance

Data Protection in Financial Services Week: Government keynote and international transfers

This session will examine some key issues and recent developments on international data transfers with contributions from key EU, UK, and US regulators.

February 07, 2023

Learn more

Webinar

Consent & Preferences

Belgian DPA approves TCF action plan: Where we go from here

Belgian DPA approves IAB Europe’s action plan to correct its Transparency & Consent Framework (TCF) violations of the GDPR.

January 12, 2023

Learn more

Webinar

Privacy & Data Governance

Keeping pace with the changing regulatory landscape: UK And EU updates webinar

Learn more about the privacy updates for the UK and the EU, what to expect in the coming year, and how to manage regulatory change.

August 15, 2022

Learn more

Webinar

Ethics & Compliance

GDPR and the EU Whistleblower Protection Directive webinar

Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.

July 06, 2022

Learn more

Webinar

Privacy & Data Governance

4 years of GDPR

Watch our webinar on the last 4 years of GDPR compliance and trends for the future.

May 05, 2022

Learn more

Webinar

Privacy Management

Privacy rights poland: Enhance Your DSAR process with automation, discovery & redaction

As part of our Privacy Automation webinar series, we discuss why it's important to automate DSAR fulfillment and the latest regulatory trends. 

April 03, 2022

Learn more

Webinar

Privacy & Data Governance

Know your laws: Comparing CCPA & CPRA vs. GDPR

Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.

January 04, 2022

Learn more

Checklist

Privacy & Data Governance

Transfer Impact Assessment (TIA) checklist

This Transfer Impact Assessment checklist provides an overview of the key steps you can take as you perform a TIA.

December 01, 2021

Learn more

Infographic

GDPR's 8 fundamental data subject rights

Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law. 

August 27, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to GDPR compliance

Download this eBook to get an ultimate guide to understanding the GDPR and implementing steps towards compliance.

August 26, 2021

Learn more

eBook

Privacy & Data Governance

10 steps to meeting the GDPR Article 30 requirement

Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program. 

July 22, 2021

Learn more

White Paper

Privacy Automation

Mastering PIAs & DPIAs: A complete handbook for privacy experts

Unlock the full potential of your privacy program with our complete handbook designed to equip privacy professionals with the essential tools and knowledge for establishing robust PIA and DPIA processes.

July 22, 2021

Learn more

Checklist

Privacy & Data Governance

GDPR compliance checklist

Download our GDPR compliance checklist for recommendations on improving your organization's privacy program. 

June 11, 2021

Learn more