Article 41
Monitoring of approved codes of conduct

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation

The GDPR

Article 41 authorises, on certain conditions, an independent body to monitor the compliance with a code of conduct approved under article 40 without prejudice to the tasks and powers of the competent supervisory authority pursuant to Articles 57 and 58. Paragraph 1 stipulates that the monitoring of compliance may be carried out only by a body which has an appropriate level of expertise in relation to the subject-matter of the code.

The second paragraph sets out the conditions that such body must meet:

- it must have demonstrated its independence and expertise in relation to the subject-matter of the code to monitor (a);

- the body must have established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation (b);

- the body must have established transparent procedures to handle complaints about infringements of the code by a controller or processor, by guaranteeing the absence of conflicts of interest (c);

- the body must have demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests (d). 

The competent supervisory authority shall submit the draft criteria as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63 (3)).

Without prejudice to the tasks and powers of the competent supervisory authority, such body shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them (paragraph 4).

The competent supervisory authority shall revoke the accreditation of a body if the conditions for accreditation are not met or where actions taken by the body infringe this Regulation (paragraph 5).

This provision shall not apply to processing carried out by public authorities and bodies (paragraph 6).

The Directive

There was no provision of the Directive for monitoring of the approved codes as no procedure for approval of such codes was provided.

Potential issues

We may wonder what will be the status of the control body in national law, separate from the national supervisory authority. A priori, it will not a public institution, but private, which would then have powers of sanctions with respect to an enterprise established as appropriate in a third country.

The regulation says nothing either in terms of the management of the costs of this compulsory control, which may also pose difficulties, in addition to the management of potential conflicts of interest.

Also, it should be noted that the provision does not apply to public authorities and public institutions even though they are not excluded from article 38 and are therefore required to adopt the codes. We may also ask which conditions precisely these qualifications of public authorities meet as not defined by the Regulation.

Regulation
1e 2e

Art. 41

1.   Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

2.   A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3.   The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

4.   Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5.   The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

6.   This Article shall not apply to processing carried out by public authorities and bodies.

1st proposal close

No specific provision

2nd proposal close

Art. 38a

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the monitoring of compliance with a code of conduct pursuant to Article 38 (1b), may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for this purpose by the competent supervisory authority.

2. A body referred to in paragraph 1 may be accredited for this purpose if:

(a) it has demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

(b) it has established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

(c) it has established procedures and structures to deal with complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make these procedures and structures transparent to data subjects and the public;

(d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3. The competent supervisory authority shall submit the draft criteria for accreditation of a body referred to in paragraph 1 to the European Data Protection Board pursuant to the consistency mechanism referred to in Article 57.

4. Without prejudice to the provisions of Chapter VIII, a body referred to in paragraph 1 may, subject to adequate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

5. The competent supervisory authority shall revoke the accreditation of a body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation.

6. This article shall not apply to the processing of personal data carried out by public authorities and bodies.

Directive close

No specific provision

51. General duties of Commissioner

(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.

(2) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.

(3) Where—

(a) the [F1 Secretary of State] so directs by order, or

(b) the Commissioner considers it appropriate to do so, the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.

(4) The Commissioner shall also—

(a) where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and

(b) where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.

(5) An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.

[F2(5A)In determining the action required to discharge the duties imposed by subsections (1) to (4), the Commissioner may take account of any action taken to discharge the duty imposed by section 52A (data-sharing code) [F3or section 52AA (direct marketing code)].]

(6) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of—

(a) any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,

(b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and

(c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.

(7) The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.

(8) The Commissioner may charge such sums as he may F4... determine for any [F5 relevant] services provided by the Commissioner by virtue of this Part.

[F6(8A) In subsection (8) “relevant services” means—

(a) the provision to the same person of more than one copy of any published material where each of the copies of the material is either provided on paper, a portable disk which stores the material electronically or a similar medium,

(b) the provision of training, or

(c) the provision of conferences.

(8B)The Secretary of State may by order amend subsection (8A).]

(9) In this section—

“good practice” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;

“trade association” includes any body representing data controllers. 

52. Reports and codes of practice to be laid before Parliament

(1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.

(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.

(3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the [F1 Secretary of State], unless the code is included in any report laid under subsection (1) or (2).

close