Other Info

Other gdpr info includes the use of codes of conduct and certifications. As it is a heavy task for any regulator, proving each data processor or controller’s compliance, the GDPR enables the use of codes of conduct and certifications. These have the purpose of provide guidance on the Regulation’s requirements, as well as to let data subjects and regulators know that a company is in compliance with the GDPR.

Codes of conduct

These codes of conduct are created by associations or representative bodies, and are then approved, registered and published by a supervisory authority, or by the European Data Protection Board (if the processing activities take place in more than one member state.

Codes of conduct may also be emitted by the EDPB, and afterwards enforced by the European Union Commission, as of general validity within the EU.

 

The codes of conduct should comprise information on areas such as:

COLLECTION OF PERSONAL DATA

DATA PSEUDONYMISATION

DATA SUBJECTS’ RIGHTS EXERCISE

THE REAL INTEREST IN THE DATA

BREACH NOTIFICATIONS

DATA PROTECTION OBLIGATIONS OF DATA CONTROLLERS

DISPUTE RESOLUTION PROCEDURES

If the codes of conduct are prepared by private associations, they are encouraged by Recital 99 to consult stakeholders, such as data subjects if it is possible, and take their views into account.

For data importers that are located outside of the EU, adhering to such codes is a way to prove that they have implemented the necessary measures for transfers according to Article 46. In addition to this, it allows data controllers and processors to comply with the standards and be regarded as doing so.

Codes of conduct are a good way to establish and update the best compliance practice in custom processing contexts.

Certifications, Marks and Seals

Similar to codes of conduct, certifications, seals and marks are another mechanism that enables businesses to prove their GDPR compliance to potential customers.

Under GDPR, certifications are issued by an accredited certification body, EU member states, or by EDPB.

 

The certifications are not mandatory, but they do come with two key advantages:

THEY ALLOW BOTH CONTROLLERS AND PROCESSORS TO PROVE THEY ARE COMPLIANT, ESPECIALLY WITH RESPECT TO THE IMPLEMENTATION OF ORGANIZATIONAL OR TECHNICAL MEASURES.

CAN DEMONSTRATE THAT THE DATA IMPORTERS WHICH ARE NOT LOCATED WITHIN THE EU HAVE IMPLEMENTED MEASURES FOR RESPECTING ARTICLE 46.

The criteria for issuing these certifications will be established by EDPB, and will be available for the public.