Lexicon > Code of Conduct

IT Lexicon

Code of Conduct

Codes of conduct are voluntary accountability tools that set out specific rules for the protection of personal data for certain categories of data controllers and processors.

They are intended to contribute to the proper implementation of the GDPR taking into account the specificity of the different sectors of personal data processing and the specific needs of micro, small and medium-sized enterprises.

They are binding on the organizations that adhere to them and thus constitute a legally binding tool.

They thus participate in their accountability because it allows them to demonstrate their compliance by justifying their good practices, and result from a voluntary approach. They can also create a climate of confidence for the individuals concerned, as well as legal certainty for the organizations in the sectors concerned.

Codes of conduct may include, but are not limited to, the following topics:

  • Fair and transparent treatment;
  • Legitimate interests pursued by data controllers in specific contexts;
  • Collection of personal data;
  • Pseudonymization of personal data;
  • Information provided to individuals and the exercise of their rights;
  • Information provided to children and protection for children;
  • Technical and organizational measures;
  • Notification of violations;
  • Transfers of data outside the EU;
  • Dispute resolution procedures.

Codes of conduct may also provide appropriate safeguards in the context of transfers of personal data to a third country or an international organization if the data controller or processor makes a binding and enforceable commitment to implement them.

Member States, supervisory authorities, the European Data Protection Board and the European Commission shall encourage the development of codes of conduct by associations and other bodies representing categories of data controllers or processors.

Prior to their application, the codes of conduct drawn up must be approved and then published by the competent supervisory authority, which is required to record them in a register available to the public.

In order to be approved by the supervisor, the drafters of a code of conduct must be able to demonstrate, among other things:

  • Whether the code setting meets a particular need;
  • That this code facilitates the effective application of the GDPR;
  • The practical application of the GDPR.

Since they are binding on the member organizations, their correct application is regularly verified by the control body provided for in the codes of conduct concerned.

GDPR Point

When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.”

Recital 99 of the GDPR

Point of jurisprudence

The Austrian supervisory authority considers that ” accreditation of an inspection body that the code of conduct holder expressly rejects is excluded, as is accreditation of a competing inspection body if the code of conduct holder has already expressly indicated its support for another applicant for accreditation “.

Datenschutzbehörde, September 28, 2020, No. 2020-0.605.768

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.