Codes of conduct

The codes of conduct provided for in Article 40 GDPR aim at facilitating the effective application of the GDPR, by regulating specific obligations of controllers and processors, for specific areas of activity. Therefore, the codes of conduct shall NOT be drawn up by individual controllers or processors, but by associations or other bodies representing categories of controllers or processors. Hence, that meaning of code of conduct under Article 40 GDPR is different from any other code of conduct a controller may have drawn up for the processing operations they perform.

Codes of conduct are not mandatory but optional. Nevertheless, the Hellenic Data Protection Authority (HDPA) clearly encourages the drawing up of codes of conduct in the sense that they may be a set of specific rules/practices towards compliance with the comprehensive conditions for lawful processing of personal data required by the GDPR, taking account of the specific features of the various processing sectors (Recital 98 GDPR).

When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations. Other information to be taken into account when drawing up a code is described in Article 40(2) GDPR.

The draft of such a code must be submitted to the Authority which gives an opinion on whether the code in question is in conformity with the GDPR and approves it if it considers that it provides sufficient guarantees (whether it is a source code or a modification of an existing one).

A code of conduct approved by the Authority, provided that it is adhered to by a controller or processor, may be used as an element to demonstrate compliance with the obligations of the controller (Article 24(3) GDPR) or as an element to demonstrate that the processor provides sufficient assurance in accordance with Article 28(1) and (4) (Article 28(5) GDPR. In addition, adherence to an approved code of conduct may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of Article 32 on the security of processing (Article 32(3) GDPR), while, furthermore, compliance with approved codes of conduct by controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment (Article 35(8) GDPR). In addition, pursuant to Article 83(2) GDPR, when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given, among other things, to adherence to approved codes of conduct.

Where the draft code, or amendment or extension is approved, and where the code of conduct concerned does not relate to processing activities in several Member States, the HDPA shall register and publish the code (Article 40(6) GDPR). Where the code relates to processing activities in several Member States, the procedures described in paragraphs 7, 8 and 9 of Article 40 GDPR shall be followed.

A code of conduct should contain mechanisms which enable a specific independent body −which has an appropriate level of expertise in relation to the subject-matter of the code− to carry out the monitoring of compliance with its provisions by the controllers or processors which have undertaken to apply it.

It should be noted that the body in question (“monitoring body”) must be specifically accredited for that purpose by the Hellenic DPA. Monitoring bodies have specific obligations in case they identify infringements of the code (Article 41(5) GDPR). The HDPA may revoke at any time the accreditation of a monitoring body, if it finds that it no longer meets the criteria on the basis of which it has been accredited or if the body does not comply with its obligations.

Note: Provisions in relation to the code of conduct monitoring body shall not apply to processing carried out by public authorities and public bodies for which a monitoring body is not required. However, in all other cases of codes of conduct, it is mandatory to have the code monitored by an independent monitoring body and, as a result, the code of conduct which has been submitted for approval should contain a relevant provision.

The Hellenic Data Protection Authority (HDPA), by its Decision 9/2020 (available only in Greek), has decided to set out requirements for the accreditation of monitoring bodies, as specified in Article 41 GDPR, which relate to a code of conduct for which the Authority is competent under Article 55 GDPR.

The HDPA has submitted its draft decision regarding the accreditation requirements in question to the European Data Protection Board (EDPB) pursuant to the consistency mechanism referred to in Article 63 of the GDPR.

The EDPB issued, on the basis of Article 64(1) of the GDPR, the Opinion 20/2020 on the HDPA’s draft decision regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR.

The HDPA, with its decision 26/2020, decided, in accordance with Article 64 (7) of the GDPR, to amend the above requirements based on all the recommendations and encouragements included in the Opinion 20/2020 of the EDPB and communicate the requirements to the EDPB.

The HDPA’s final requirements contained in the Appendix of its decision 26/2020, as amended according to opinion 20/2020 of the EDPB, is published on the HDPA’s online portal, pursuant to Article 57(1p) of the GDPR as well as Article 15(10) of Law 4624/2019^[1].

Where a draft code of conduct relates to the processing of personal data in several Member States, the association drafting it shall submit the code to a competent supervisory authority (substantiating why the supervisory authority in question was considered competent). Subsequently, the competent supervisory authority shall submit the draft, before its approval, to the European Data Protection Board (EDPB) through the consistency mechanism), which provides an opinion on whether the draft code complies with the GDPR. In case the EDPB provides a positive opinion, the opinion shall be submitted to the Commission, which may, by means of implementing acts, decide that the approved codes of conduct (and any amendments or extensions if applicable) have general validity within the Union.

It should be noted that the approved codes of conduct may also be adhered to by controllers or processors that are not subject to the GDPR, in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations (see Transfers of data outside the EU).

The guidelines of the European Data Protection Board on codes of conduct are available here.