Article 40
Codes of conduct

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 40 keyboard_arrow_down Hide the recitals of the Regulation related to article 40 keyboard_arrow_up

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(99) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

(167) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

There is no recital in the Directive related to article 40.

The GDPR

[endif]-->

Article 40 reiterates Europe's desire to encourage the elaboration of codes to contribute to the application of the Regulation. These codes should take into account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises (paragraph 1).

These codes may be elaborated, modified or extended by organizations representing the categories of controllers and processors. They would be intended to clarify the terms of application of the Regulation provisions (paragraph 2), namely:

- the principle of fair and transparent processing (a);

- the legitimate interests pursued by controllers in specific contexts (b);

- the collection of personal data (c);

- the  anonymization  of personal data (d);

- the information provided to the public and to data subjects (e);

- the exercise of the rights of data subjects (f), etc.

As it follows from recital 98, these codes could in particular specify the duties imposed on controllers and processors to manage the risk which may expose the rights and freedoms of individuals.

These codes will be submitted to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards (paragraph 5).

Then, where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code (paragraph 6).

Before approving them, the supervisory authority shall submit them to the European Data Protection Board which shall provide an opinion on whether they comply with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards (paragraph 7). Where the opinion is positive, the European Board shall submit its opinion to the Commission (paragraph 8). The Commission shall then adopt implementing acts to confirm  that the codes of conducts as well as any modifications and extensions approved will have general validity in the territory of the Union. In this case, the Commission shall ensure appropriate publicity (paragraphs 9 and 10).

The European Data Protection Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means (paragraph 11).

Article 40 also provides in paragraph 3 that the codes of conduct approved by the national supervisory authority and having general validity in the territory of the Union could be applied to processing controllers and processors who are not subject to the Regulation in accordance with Article 3, in order to provide the appropriate safeguards in the context of transfers of personal data to a third country or an international organization, which must provide such appropriate safeguards and which has not been considered as providing a level of protection (Art. 46 (2), e)). These controllers or processors then assume a binding and enforceable commitment by using contractual instruments or otherwise, to apply these appropriate safeguards, including with regard to the rights of the data subjects.

Article 41 provides for a specific procedure for the monitoring of these codes. These codes must also contain the mechanisms by which the body responsible for follow-up to the mandatory control of compliance with the code by the processors and/or the controllers.

 Check this translation is correct (data collected in such a way that it cannot be linked back to an individual)

The Directive

Article 27 of the Directive encouraged the elaboration of sectoral codes of conduct with a view to contribute to the implementation of national provisions taken by the Member States. They were to provide an opportunity for the associations representing categories of controllers to submit these to the review of the national authorities. Moreover, the same opportunity was provided for drafts of Community codes to submit this time to the "29" Group who could then give publicity to the approved codes.

Most national laws did not contain any provisions in this regard.

Potential issues

The new regime of codes of conduct can contribute a lot to clarifying the application of the provisions of the Regulation to specific sectors and enterprises they cover. Their potential mandatory nature across the Union could also promote better alignment of regulations, which is certainly positive.

The problem will arise as a result of the fact that the initiative will come from the representative organizations themselves, which will often be the only ones to have the resources to elaborate such tools (except some large groups of undertakings or certain public institutions). The challenge for implementation will then be to provide an effective policy of encouragement and information to these organizations in order to convince them of the potential benefits for their members.

It should be noted that the adoption procedure is particularly heavy and depends on the efficiency and speed of the European Board and the national supervisory authorities.

Regulation
1e 2e

Art. 40

1.   The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2.   Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

a) fair and transparent processing;

b) the legitimate interests pursued by controllers in specific contexts;

c) the collection of personal data;

d) the pseudonymisation of personal data;

e) the information provided to the public and to data subjects;

f) the exercise of the rights of data subjects;

g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

j) the transfer of personal data to third countries or international organisations; or

k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3.   In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4.   A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

5.   Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6.   Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7.   Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

8.   Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9.   The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

10.   The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11.   The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

1st proposal close

Art. 38

1.           The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:

(a)     fair and transparent data processing;

(b)     the collection of data;

(c)     the information of the public and of data subjects;

(d)     requests of data subjects in exercise of their rights;

(e)     information and protection of children;

(f)      transfer of data to third countries or international organisations;

(g)     mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it;

(h)     out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75.

2.           Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.

3.           Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission.

4.           The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5.           The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.

 

2nd proposal close

Art. 38

1. The Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors and the specific needs of micro, small and medium-sized enterprises.

1a. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of provisions of this Regulation, such as:

(a) fair and transparent data processing;

(aa) the legitimate interests pursued by controllers in specific contexts;

(b) the collection of data;

(bb) the pseudonymisation of personal data ;

(c) the information of the public and of data subjects;

(d) the exercise of the rights of data subjects ;

(e) information and protection of children and the way to collect the parent’s and guardian’s consent ;

(ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30;

(ef) notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects;

(f) (...).

1ab. In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contr actual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.

1b. Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2. Associations and other bodies referred to in paragraph 1a which intend to prepare a code of conduct, or to amend or extend an existing code, shall submit the draft code to the supervisory authority which is competent pursuant to Article 51. The supervisory authority shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards.

2a. Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof.

2b. Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.

3. Where the opinion referred to in paragraph 2b confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation, or, in the situation referred to in paragraph 1ab, provides appropriate safeguards ,the European Data Protection Board shall submit its opinion to the Commission.

4. The Commission may adopt implementing acts for deciding that the approved codes of conduct and amendments or extensions to existing approved codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 4.

5a. The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.

Directive close

Art. 27

1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.

2. Member States shall make provision for trade associations and other bodies representing other categories of controllers which have drawn up draft national codes or which have the intention of amending or extending existing national codes to be able to submit them to the opinion of the national authority.

Member States shall make provision for this authority to ascertain, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives.

3. Draft Community codes, and amendments or extensions to existing Community codes, may be submitted to the Working Party referred to in Article 29. This Working Party shall determine, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives. The Commission may ensure appropriate publicity for the codes which have been approved by the Working Party.

51. General duties of Commissioner

(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.

(2) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.

(3) Where—

(a) the [F1 Secretary of State] so directs by order, or

(b) the Commissioner considers it appropriate to do so, the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.

(4) The Commissioner shall also—

(a) where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and

(b) where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.

(5) An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.

[F2(5A)In determining the action required to discharge the duties imposed by subsections (1) to (4), the Commissioner may take account of any action taken to discharge the duty imposed by section 52A (data-sharing code) [F3or section 52AA (direct marketing code)].]

(6) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of—

(a) any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,

(b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and

(c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.

(7) The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.

(8) The Commissioner may charge such sums as he may F4... determine for any [F5 relevant] services provided by the Commissioner by virtue of this Part.

[F6(8A) In subsection (8) “relevant services” means—

(a) the provision to the same person of more than one copy of any published material where each of the copies of the material is either provided on paper, a portable disk which stores the material electronically or a similar medium,

(b) the provision of training, or

(c) the provision of conferences.

(8B)The Secretary of State may by order amend subsection (8A).]

(9) In this section—

“good practice” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;

“trade association” includes any body representing data controllers. 

52. Reports and codes of practice to be laid before Parliament

(1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.

(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.

(3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the [F1 Secretary of State], unless the code is included in any report laid under subsection (1) or (2).

close