Codes of conduct are part of the compliance tools provided by the General Data Protection Regulation (GDPR). They enable a business sector to support the compliance of the professionals concerned through practical and operational recommendations.

When drawing up a code of conduct, the association or federation representing professionals must organise the monitoring of the code after its approval. For this purpose, the RGPD provides the intervention of a third party organization that must be accredited by the CNIL in order to fulfil this mission.

The main requirements of the repository

The accreditation requirement, which received a favourable opinion from the European Data Protection Board (EDPB), makes it possible to check that the future monitoring body provides all the necessary guarantees to fulfil its mission.

These requirements, which may be general or specific, relate in particular to:

• the independence of the monitoring body and the absence of conflict of interest;
• the appropriate level of expertise of the auditors;
• specific security measures;
• transparent handling of complaints;
• regular monitoring procedures; and
• procedures for the adoption of sanctions and other corrective measures.

The control body designated by the code of conduct

The correct application of a code of conduct by its members is subject to regular checks. The CNIL recalls the role and obligations of the control body.

What is the role of this control body?

When developing a code of conduct, the code owner must organise the monitoring of the code after its approval. The GDPR specifies that this activity may be entrusted to a dedicated body whose mission does not interfere with that of the supervisory authorities. It is possible to have recourse to an internal committee in charge of the code or to one or more third party organisations.

The guidelines on codes of conduct adopted by the European Data Protection Board (EDPB) also provide explanations and practical examples of the conditions for the appointment of such a body.

The code of conduct must necessarily describe the mechanisms enabling the supervisory body to carry out its tasks. The third party organisation will use these mechanisms to create the procedures it will implement for the purpose of:

• carry out audits before adherence to the code of conduct or regular audits after adherence to the code of conduct to ensure that the code is correctly applied by members;
• deal with complaints about breaches of the code or the way in which the code has been or is being applied by a controller or processor;
• take appropriate action in the event of a breach of the code, such as suspension or exclusion of the code member;
• participate in updating the code of conduct.

How to become a supervisory body?

You can submit a request for approval if the following three criteria are met:

1. The code of conduct identifies you as a control body
2. Meets the requirements defined by the CNIL accreditation framework
3. The reference code of conduct is in its final stage of approval by the CNIL or, for European codes, has received a favourable opinion from the European Data Protection Board.

Approval by the supervisory body

Article 41 of the GDPR provides that the bodies responsible for monitoring compliance with a code of conduct must be approved for this purpose by the competent supervisory authority .

The CNIL, in accordance with Article 57.1(p) of the GDPR, has drawn up a draft reference system for approval which was the subject of a public consultation before being submitted to the European Data Protection Board (EDPB) for its opinion. On the basis of this opinion, the CNIL adopted its reference system for the approval of bodies responsible for monitoring compliance with codes of conduct.

Before submitting an application for approval to the CNIL, the applicant must therefore ensure that it is able to meet the requirements listed in the approval reference system adopted on 24 July 2020. The applicant may in particular rely on a table providing examples of documents that can be produced to demonstrate compliance.

This standard has two main categories of requirements: general and specific requirements.

What are the general requirements of the accreditation framework?

The control body must demonstrate good management of its activity by establishing:

• that all processing operations carried out as part of its missions comply with the GDPR;
• that it has human, financial and material resources commensurate with the scope of the code of conduct;
• that it carries out the tasks provided for in the code of conduct;
• that it keeps the documents relating to the performance of its missions in such a way as to preserve their confidentiality or destroy them permanently and securely if they prove to be useless;
• which respects the security measures put in place by the members of the code in the exercise of its missions.

What are the specific requirements of the accreditation framework?

The control body must demonstrate that it provides sufficient guarantees in relation to:

• its independence:

This independence must be functional, material and decision-making . This can be demonstrated by establishing formal rules and procedures governing the designation, mandate and functioning of the control body. The applicant may provide documents or procedures that clearly establish the division of staff roles, the functioning of the decision-making process and the reporting procedures.

• absence of conflict of interest :

Internal procedures must be in place to prevent conflicts of interest. The body must remain free from any external influence and refrain from any action incompatible with its missions and functions.

• to the appropriate level of competence of its members:

Staff, both operational and decision-making, must possess the skills and experience required by the Code of Conduct and the accreditation framework. Each application for approval will be assessed taking into account the specific competence requirements defined by the code in question.

• Regular, complete and transparent control procedures:

The control procedure used by the control body must be regular, complete and transparent for the members of the code of conduct. It may include unannounced audits, annual inspections, periodic reports and the use of questionnaires, but it must be based on objective criteria and correspond to the framework established by the code of conduct.

• the transparent procedure for handling complaints:

The supervisory body must establish procedures that allow for impartial and objective handling of complaints about violations of the code or the way in which the code is applied by a member. This procedure must be transparent and comprehensible.

Complaints must be handled with sufficient resources and the staff involved must demonstrate sufficient knowledge and impartiality.

the CNIL communication and information procedure:
Allows the CNIL to be informed of decisions taken by the control body, in particular according to the seriousness of such decisions, and within a reasonable time frame .

• the procedure relating to the mechanisms for reviewing the code of conduct:

The control body is associated with the revision of the code when this is decided by the owner. It must then implement the procedures to incorporate the changes decided by the code owner.

• its status and responsibilities, in particular in the context of subcontracting its missions:

The body is responsible for its actions before the supervisory authority, including in the case of subcontracting.

It will have to justify the appropriate and necessary resources for the continuous exercise of its missions.

• the procedure for the adoption of sanctions and corrective measures:

A code of conduct must include the matrix of corrective measures that can be applied by the control body. The control body must demonstrate that procedures have been established to enable it to take the decisions and sanctions provided for in the code of conduct.

To this end, a model letter of formal notice or reminder may be submitted, in particular, as well as a document establishing a procedure for handling disputes.

How long is an authorisation valid for?

The period of validity of an authorisation is five years.

How and when is it approved by the CNIL?

Organisations must first contact the bearer of the code to express their interest in being identified as a control body. Then, they must wait until the reference code of conduct is in the final approval phase before submitting an application for approval to the CNIL. Indeed, the procedures to be implemented by the control body will depend on the mechanisms provided for in the code.

For European codes, the application for authorisation may be submitted after a favourable opinion of the EDPS on the reference code of conduct.

What is the procedure for preparing an application for authorisation?

Once the application for approval has been submitted, the completeness of the file is examined by the CNIL services within ten days.

If the file is not complete, an additional request is sent by the CNIL. If there is no response from the applicant within the allotted time, the file is closed as is.

If the file is complete, the CNIL will send an acknowledgement of receipt within ten days. After examining the file and subject to compliance with the requirements of the standard, the CNIL decides in plenary session on the adoption of the authorisation decision. This decision shall be notified to the applicant. The CNIL will publish the list of approved organisations on its website.

How do I renew my accreditation?

The request for renewal of the authorisation is submitted electronically, at the latest six months before the expiry date (if the authorisation expires on 31 July 2020, the request for renewal must be sent to the CNIL by 31 January 2020). As part of the examination of the renewal request by the Commission services, the communication of any document may be requested.

How can I change my approval?

In the event of a substantial change for the previously authorised inspection body, you must inform the CNIL immediately. Any substantial change may lead to a revision of the application for authorisation. A substantial change could result, for example, from an acquisition of a shareholding that would call into question the independence of the body, a reorganisation that would lead to an installation outside the European Union or an alteration of its resources. this would no longer allow it to guarantee the continuity of its control activities.

Suspension or withdrawal of accreditation

If a monitoring organisation no longer meets the approval requirements or if the measures taken by the organisation constitute a violation of the GDPR, the restricted CNIL training may order the suspension or withdrawal of the approval.

Failure by a monitoring organisation to comply with its obligations may also expose it to an administrative penalty of up to €10,000,000 or up to 2% of its annual worldwide turnover.

Reference texts

Article 41 of the GDPR

Code of conduct guidelines approved by the European Data Protection Board (EDPB)

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL