Artikkel 41
Monitoring of approved codes of conduct

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering

GDPR

Article 41 authorises, on certain conditions, an independent body to monitor the compliance with a code of conduct approved under article 40 without prejudice to the tasks and powers of the competent supervisory authority pursuant to Articles 57 and 58. Paragraph 1 stipulates that the monitoring of compliance may be carried out only by a body which has an appropriate level of expertise in relation to the subject-matter of the code.

The second paragraph sets out the conditions that such body must meet:

- it must have demonstrated its independence and expertise in relation to the subject-matter of the code to monitor (a);

- the body must have established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation (b);

- the body must have established transparent procedures to handle complaints about infringements of the code by a controller or processor, by guaranteeing the absence of conflicts of interest (c);

- the body must have demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests (d). 

The competent supervisory authority shall submit the draft criteria as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63 (3)).

Without prejudice to the tasks and powers of the competent supervisory authority, such body shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them (paragraph 4).

The competent supervisory authority shall revoke the accreditation of a body if the conditions for accreditation are not met or where actions taken by the body infringe this Regulation (paragraph 5).

This provision shall not apply to processing carried out by public authorities and bodies (paragraph 6).

Direktivet

There was no provision of the Directive for monitoring of the approved codes as no procedure for approval of such codes was provided.

Utfordringer

We may wonder what will be the status of the control body in national law, separate from the national supervisory authority. A priori, it will not a public institution, but private, which would then have powers of sanctions with respect to an enterprise established as appropriate in a third country.

The regulation says nothing either in terms of the management of the costs of this compulsory control, which may also pose difficulties, in addition to the management of potential conflicts of interest.

Also, it should be noted that the provision does not apply to public authorities and public institutions even though they are not excluded from article 38 and are therefore required to adopt the codes. We may also ask which conditions precisely these qualifications of public authorities meet as not defined by the Regulation.

Forordning
1e 2e

Art. 41

1.   Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

2.   A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3.   The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

4.   Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5.   The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

6.   This Article shall not apply to processing carried out by public authorities and bodies.

1. forslag close

No specific provision

2. forslag close

Art. 38a

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the monitoring of compliance with a code of conduct pursuant to Article 38 (1b), may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for this purpose by the competent supervisory authority.

2. A body referred to in paragraph 1 may be accredited for this purpose if:

(a) it has demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

(b) it has established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

(c) it has established procedures and structures to deal with complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make these procedures and structures transparent to data subjects and the public;

(d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3. The competent supervisory authority shall submit the draft criteria for accreditation of a body referred to in paragraph 1 to the European Data Protection Board pursuant to the consistency mechanism referred to in Article 57.

4. Without prejudice to the provisions of Chapter VIII, a body referred to in paragraph 1 may, subject to adequate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5. The competent supervisory authority shall revoke the accreditation of a body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation.

6. This article shall not apply to the processing of personal data carried out by public authorities and bodies.

Direktiv close

No specific provision

Art. 41

Kontroll av godkjente atferdsnormer

1. Uten at det berører vedkommende tilsynsmyndighets oppgaver og myndighet i henhold til artikkel 57 og 58, kan tilsynet med at atferdsnormene overholdes i henhold til artikkel 40 utføres av et organ med et egnet nivå av dybdekunnskap om temaet for atferdsnormene og som er akkreditert for dette formål av vedkommende tilsynsmyndighet.

2. Et organ som nevnt i nr. 1 kan akkrediteres til å føre tilsyn med overholdelsen av atferdsnormer dersom nevnte organ har

a) vist at det er uavhengig og har dybdekunnskap om temaet for atferdsnormene på en måte som oppfyller vedkommende tilsynsmyndighets krav,

b) fastsatt framgangsmåter som gjør det mulig å vurdere om berørte behandlingsansvarlige og databehandlere oppfyller vilkårene for anvendelse av atferdsnormene, føre tilsyn med at de overholdes og foreta regelmessige gjennomgåelser av atferdsnormenes virkemåte,

c) fastsatt framgangsmåter og rutiner for behandling av klager på overtredelser av atferdsnormene eller måten de er blitt eller blir gjennomført på av den behandlingsansvarlige eller databehandleren, og gjøre nevnte framgangsmåter og rutiner åpne for de registrerte og allmennheten, og

d) vist, på en måte som oppfyller vedkommende tilsynsmyndighets krav, at oppgavene eller pliktene ikke fører til en interessekonflikt.

3. Vedkommende tilsynsmyndighet skal legge fram et utkast til vilkår for akkreditering av et organ som nevnt i nr. 1 i denne artikkel for Personvernrådet i henhold til konsistensmekanismen nevnt i artikkel 63.

4. Uten at det berører vedkommende tilsynsmyndighets oppgaver og myndighet og bestemmelsene i kapittel VIII, skal et organ som nevnt i nr. 1 i denne artikkel, under forutsetning av nødvendige garantier, treffe egnede tiltak i tilfelle en behandlingsansvarlig eller databehandler ikke overholder atferdsnormene, herunder suspendere eller utelukke den berørte behandlingsansvarlige eller databehandleren fra atferdsnormene. Det skal underrette vedkommende tilsynsmyndighet om nevnte tiltak og årsakene til at de er truffet.

5. Vedkommende tilsynsmyndighet skal tilbakekalle akkrediteringen av et organ som nevnt i nr. 1 dersom vilkårene for akkreditering ikke eller ikke lenger oppfylles, eller dersom tiltak som er truffet av organet, er i strid med bestemmelsene i denne forordning.

6. Denne artikkel får ikke anvendelse på behandling utført av offentlige myndigheter og organer.

Gamle loven close

Ingen tilsvarende bestemmelse

close