The GDPR encourages the drawing-up of sector-specific rules intended to contribute to the proper application of the GDPR, whilst taking into account the peculiarity of certain industries and the needs of micro, small and medium-sized enterprises. These rules are referred to as “codes of conduct”, and their objective is to specify general data protection obligations into sector-specific rules to be followed by adhering controllers and processors on a voluntary basis. Furthermore, under certain conditions, a code of conduct may also be adhered to and used by controllers or processors not subject to the GDPR located in third countries for the purpose of providing appropriate safeguards to data transferred to third countries.
Compliance with codes of conduct must be monitored by a body with expertise in relation to their subject-matter. The capacity of a monitoring body to effectively monitor a code of conduct is assessed by the competent supervisory authority in the context of a formal accreditation process based on requirements issued by each supervisory authority.
The IDPC submitted its draft accreditation requirements to the EDPB through the consistency mechanism. As a result of the process, the EDPB issued an opinion which the IDPC accepted to follow. The IDPC therefore implemented all recommendations and encouragements included in the opinion by amending its draft requirements accordingly.
The final version of the accreditation requirements for code of conduct monitoring body can be downloaded on the link provided below.
The IDPC warmly welcomes initiatives on codes of conduct by interested parties and it is available to provide all the necessary assistance in this respect.
Accreditation requirements for code of conduct monitoring bodies