Codes of Conduct

​​​​​​​Codes of conduct are sector-specific guidelines on the application of data protection legislation. They are intended to help organisations comply with data protection requirements with concrete and practical instructions.

By committing to follow a code of conduct, controllers and processors can demonstrate compliance with data protection legislation and best practices in data protection issues typical for their sector.

The codes of conduct are drawn up by the sectors themselves. Codes of conduct are based on the requirements of the General Data Protection Regulation (GDPR) but set higher standards for their members than the minimum required by the GDPR. Codes of conduct are typically developed and administered by a trade association or other organisation representing the controllers or processors. Codes of conduct are particularly useful for small and medium-sized organisations.
Codes of conduct can also be used as tools for transfers of personal data out of the European Economic Area.

European Data Protection Board guideline on codes of conduct as tools for transfers (PDF)

Why are codes of conduct useful?

  • They define common best practices for the implementation of data protection in a specific sector.
  • They harmonise data protection practices with concrete, sector-specific rules.
  • They respond to the challenges faced by small and medium-sized companies by offering simple and practical tools to support compliance with data protection regulations.
  • They help organisations demonstrate compliance with the GDPR.
  • They can build trust among customers and partners.

National or international codes of conduct?

Codes of conduct can be national or international in scope. An international code of conduct applies to processing activities carried out in more than one Member State.

In Finland, the Office of the Data Protection Ombudsman approves national codes of conduct. International codes of conduct can be delivered to the Office of the Data Protection Ombudsman for review and approval if, for example, the owner or monitoring body of the code of conduct is headquartered in Finland.

More information on the procedures applied to international codes of conduct is available in the European Data Protection Board's guideline, particularly in chapter 8 and Annexes 1, 2 and 4.

European Data Protection Board's guideline on codes of conduct (PDF)​​​​​​​​​​​​​​

Read more about codes of conduct