The Office of the Data Protection Ombudsman has published accreditation criteria for code of conduct monitoring bodies
Codes of conduct are guidelines for the application of data protection legislation in specific industries. They are approved by the Office of the Data Protection Ombudsman. In the private sector, compliance with these codes of conduct is supervised by a monitoring body accredited by the authorities. The Office of the Data Protection Ombudsman issues such accreditations in Finland. Committing to a code of conduct helps organisations comply with the General Data Protection Regulation and demonstrate accountability.
Codes of conduct are drawn up by associations or other bodies representing the controllers and processors in their industry. Controllers and processors can then commit to the code of conduct to ensure the appropriate application of the GDPR in their industry’s typical data protection issues.
Codes of conduct can be national or international. Certain oversight mechanisms must be followed to ensure the efficient application of the codes of conduct. The parties drafting the code of conduct should submit a proposal for the monitoring body already during the drafting stage. A monitoring body accredited by the authority is required if the code of conduct will be applied in the private sector. If the code of conduct applies to an authority or other public bodies, no monitoring body is required.
The monitoring body must be expert and neutral
The accreditation criteria of the Office of the Data Protection Ombudsman state that the monitoring body must be independent and neutral. The monitoring body must possess sufficient expertise and follow appropriate and transparent practices to ensure efficient monitoring of compliance with the code of conduct. Furthermore, the monitoring body must file an annual report on its activities to the Office of the Data Protection Ombudsman.
The accreditation criteria now published have been drawn up by the Office of the Data Protection Ombudsman and reviewed by the consistency mechanism of the European Data Protection Board. This joint review by the authorities is intended to harmonise the criteria set for monitoring bodies and the monitoring of codes of conduct across the EEA.
Industry-specific codes of conduct can indicate, for example, how the processing of personal data must be planned and the risks assessed, what kinds of legitimate interests controllers can have, and how the realisation of the data subjects’ rights will be guaranteed. They can also issue instructions on questions such as implementing the data protection of children or the pseudonymisation of personal data.
All codes of conduct approved by national supervisory authorities are published on the European Data Protection Board’s website.
- The Finnish national supervisory authority’s accreditation criteria for monitoring bodies under the General Data Protection Regulation (PDF)
- European Data Protection Board's guideline on codes of conduct: Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (PDF)
Registry of the Data Protection Ombudsman: [email protected]