Supervision of codes of conduct

The code of conduct must specify a mechanism for the effective monitoring of compliance with the code. Monitoring means ensuring that the controllers and processors committed to compliance with the code follow the policies outlined in the code. Specifying a monitoring mechanism in the draft code is one of the admissibility criteria for review by the Office of the Data Protection Ombudsman.

In the private sector, compliance with the code of conduct will be monitored by a monitoring body accredited by the Office of the Data Protection Ombudsman. No monitoring body is required for codes of conduct applying to authorities or other public bodies. However, effective monitoring mechanisms must be specified in such codes of conduct as well.

Duties of the monitoring body

Compliance with a code of conduct drawn up for the private sector is monitored by a monitoring body appointed to the task. The monitoring body can be a part of the organisation that prepared the code or an outside body.

The code of conduct must specify how the monitoring body will carry out its duties. For example, the monitoring body can conduct advance evaluations of organisations committing to the code of conduct, conduct studies of the operations of code members, hear complaints about the activities of adherents and participate in the updating of the code of conduct. The monitoring body can also dismiss members for a fixed period or permanently.

The duties of the code of conduct monitoring body do not prejudice the powers of the Office of the Data Protection Ombudsman as a supervisory authority. The supervisory authority also has the power to assess the lawfulness of the processing carried out by the controllers and processors committed to the code of conduct. The monitoring body must report on its activities to the Office of the Data Protection Ombudsman on a regular basis.

Accreditation of the monitoring body

The monitoring body must be independent and objective. It must have sufficient expertise in the sector covered by the code of conduct, as well as appropriate and transparent procedures for ensuring the effective monitoring of compliance with the code of conduct.

The Office of the Data Protection Ombudsman has drawn up more detailed criteria that monitoring bodies must fulfil in order to be accredited. The code owner should consult these accreditation criteria already when preparing the draft code.

The Office of the Data Protection Ombudsman accredits the code of conduct's monitoring body.

The Finnish national supervisory authority's accreditation criteria for monitoring bodies of codes of conduct under the GDPR (PDF)

Read more  about codes of conduct

• Codes of Conduct
• The review and approval of codes of conduct at the Office of the Data Protection Ombudsman