On March 4, 2022, the European Data Protection Board (EDPB) announced that it had adopted its final guidelines on codes of conduct for data transfers under the GDPR. The guidelines adopted by the EDPB provide clarification on the use of codes of conduct under Article 40(3) and Article 46(2)(e) of the GDPR including the different actors involved in the development of different codes of conduct, what should be included in codes of conduct for data transfers, and the processes for adopting codes of conduct.
The latest EDPB guidelines seek to complement and clarify the Guidelines on Codes of Conduct and Monitoring Bodies under the GDPR by including a checklist detailing what should be included in codes of conduct for data transfers as well as flowcharts outlining the adoption and amendment processes for codes of conduct.
Download the eBook: Understanding data transfers under the GDPR eBook
What are codes of conduct for data transfers?
Article 46 of the GDPR outlines that, in the absence of an adequacy decision, data controllers and data processors may transfer personal data to a third country subject to appropriate safeguards. More specifically, Article 46(2)(e) states that codes of conduct, approved by the relevant supervisory authority in line with Article 40, can be used to provide a binding and enforceable commitment between the data controller and the data processor to ensure adequate measures are taken to protect personal data during third-country data transfers. The EDPB guidelines highlight that the binding commitment entered into by both parties can be made through a contract or other legally binding instrument.
GDPR codes of conduct represent a broad mechanism that can be used to define a set of rules related to the processing of personal data. Codes of conduct are typically prepared by an entity, association, or federation that represent large categories of data controllers and data processors, such as industry-specific associations or trade groups. This allows a degree of flexibility for intra-industry data flows provided data controllers and data processors adhere to approved codes of conduct.
In its guidelines, the EDPB describes a scenario where a cloud service provider in a third country with no EU presence is contracted by a data controller based in the EU. In this instance it is more appropriate in terms of GDPR compliance for the cloud service provider to frame its data transfers under an approved code of conduct as it has no presence in the EU, nor is it part of the wider group of undertakings based in the EU. This means that it would be unable to rely on transfer mechanisms such as Binding Corporate Rules (BCRs). In this same scenario, the broad set of rules that are outlined in approved codes of conduct makes them a practical alternative to Standard Contractual Clauses (SCCs) which only apply to the specific data processing activities agreed upon entry into the contract between the data controller and data processor. Therefore, for each new processing activity between the data controller and the data processor, a new contract would need to be drawn up.
What parties are responsible for developing codes of conduct and what are their roles?
The EDPB guidelines highlight the five actors involved in the process of developing, monitoring, and approving codes of conduct, each with its role to play.
- Code Owners – The entity that prepares a code of conduct or makes amendments to an approved code of conduct. Code owners also submit the code of conduct to the relevant supervisory authority for approval.
- Monitoring Bodies – Each code of conduct needs to include details of a monitoring body that will need to be accredited by the supervisory authority. The monitoring body is responsible for ensuring third-country data controllers and data processors adhere to the code of conduct. As such, the monitoring body should be capable of monitoring the code of conduct effectively.
- Supervisory Authorities – The role of the supervisory authority concerning codes of conduct is to consider and approve proposed codes of conduct as well as accrediting monitoring bodies.
- EDPB – The EDPB is required to provide an opinion on draft decisions made by supervisory authorities relating to a proposed code of conduct or amendment to the existing approved code of conduct.
- European Commission – The European Commission may adopt an approved code of conduct for general validity in the European Union. Only codes of conduct that have been granted general validity may be relied upon for framing transfers.
Annex 1a – Adoption of a Transnational Code Intended for Transfers
Source: European Data Protection Board Guidelines 04/2021 on Codes of Conduct as tools for transfers
Annex 1b – Amendments to a Transnational Code to be Used as a Code Intended for Transfers
Source: European Data Protection Board Guidelines 04/2021 on Codes of Conduct as tools for transfers
What should be included in codes of conduct?
The EDPB guidelines on codes of conduct for data transfers summarize the elements that need to be included in a proposed code of conduct for it to ensure it provides a level of personal data proception consistent with other transfers tools listed under Article 46 of the GDPR. The EDPB guidelines also take into account the CJEU’s decision in the Schrems II case and include the relevant supplementary measures that must be considered in any code of conduct for data transfers. A code of conduct intended for transfers should include the following:
- A description of the data transfers
- nature of data transferred
- categories of data subjects
- import/export countries, etc.
- A description of the data protection principles to be complied with
- transparency
- fairness and lawfulness,
- purpose limitation
- data minimization
- accuracy, etc.
- The measures taken to comply with the accountability principle
- Demonstration of appropriate governance through DPOs or privacy staff responsible for compliance with data protection obligations resulting from the code
- Existence of a suitable data protection training program
- Existence of a data protection audit conducted by either internal or external auditors or another internal mechanism for monitoring compliance
- The measures taken to comply with the transparency principle
- The provision of data subject rights
- Right to access
- Right to rectification
- Right to erasure
- Right to object, etc.
- Existence of an appropriate complaint handling maintained by the monitoring body
- A guarantee that the third-country data controller or data processor has no reasons to believe that the legal framework in the third country will prevent it from fulfilling its obligations under the
- Mechanisms for dealing with amendments to the code
- Consequences of withdrawal from the code
- Commitments for the code member and monitoring body to cooperate with supervisory authorities in the EEA
- A commitment that the code member accepts is subject to the jurisdiction of EEA supervisory authorities to ensure compliance with the code of conduct and EEA courts.
- An outline of the selection criteria for the monitoring body of the code
Next steps
The EDPB’s final guidelines on codes of conduct as a transfer tool were adopted on February 22, 2022, following a public consultation. The guidelines should now bring clarity to the application of Articles 40(3) and 46(2)(e) of the GDPR and allow for the use of codes of conduct to be adopted in compliance with the regulation.
