The review and approval of codes of conduct at the Office of the Data Protection Ombudsman
The Office of the Data Protection Ombudsman reviews and approves national codes of conduct applied in Finland. The criteria for the content of codes of conduct are based on the EU General Data Protection Regulation and the guidelines adopted by the European Data Protection Board (EDPB), which provide practical instructions for and examples of drawing up codes of conduct.
European Data Protection Board's Guideline on Codes of Conduct (PDF)
The Office of the Data Protection Ombudsman reviews the contents of a draft code of conduct in two stages
1. In the first stage, the Office of the Data Protection Ombudsman assesses whether the draft code fulfils the criteria laid down in the EDPB guideline for admissibility.
- If the criteria are met, the Office of the Data Protection Ombudsman notifies the author of the draft code that the review will proceed to the second stage, if necessary.
- If the criteria are not met, the Office of the Data Protection Ombudsman notifies the author of the draft code that the draft has been rejected and states the grounds for the rejection.
2. In the second stage, the Office of the Data Protection Ombudsman assesses whether the draft code meets the criteria for approval laid down in the EDPB guideline.
- If the criteria are met, the Office of the Data Protection Ombudsman notifies the author of the draft code that the draft has been accepted as a code of conduct.
- If the criteria are not met, the Office of the Data Protection Ombudsman notifies the author of the draft code that the draft has been rejected and states the grounds for the rejection.
If the Office of the Data Protection Ombudsman rejects the draft code in the first or second review stages, the author can make changes to the draft based on the grounds for the rejection provided by the Office of the Data Protection Ombudsman and resubmit the edited draft to the Office of the Data Protection Ombudsman for approval.
If the Office of the Data Protection Ombudsman approves the draft code, it will register the code of conduct and publish it on the Office's website. The Office of the Data Protection Ombudsman also submits the approved code of conduct to the EDPB for publication.
Material changes to the code of conduct must be submitted to the Office of the Data Protection Ombudsman for approval. Changes such as adding new rules to the code of conduct can be considered material, but minor changes that have no bearing on the application of the code of conduct do not require approval.
When is a code of conduct admissible for review?
1. A draft code must include an introduction describing the purpose of the code of conduct, its scope of application and how the code would facilitate the application of the GDPR.
2. The representativeness of the code owner must be demonstrated, for example based on the number of organisations represented by the owner, the potential number of code members, and the owner's familiarity with the sector or its typical personal data processing activities.
3. The code of conduct must specify its substantive scope of application (the personal data processing covered by the code).
4. The code of conduct must specify its territorial scope of application, i.e. whether the code is national or international (the state or states in which the code is applied to processing activities).
5. A monitoring body must be appointed for monitoring compliance with codes of conduct for the private sector.
6. No monitoring body is required for codes of conduct applying to the processing of personal data by the authorities or public bodies. However, mechanisms for monitoring compliance with the code of conduct must still be specified for such codes of conduct.
8. The draft code owner must submit a summary of the consultations of the sector and, where feasible, the data subjects.
9. The code owner must attest that the draft code complies with national legislation. This is especially important when special legislation applies to the processing.
10. The code of conduct must be drawn up in the language of the competent authority. A draft code applied in several Member States can also be submitted in English.
11. The draft code must be submitted to the competent supervisory authority for approval.
When can code of conduct be approved?
The Office of the Data Protection Ombudsman will assess the draft code after it has been found to meet the admissibility criteria listed above.
A draft code must meet the following criteria to be accepted.
1. The code of conduct fulfils a specific need. It addresses questions of data protection in a specific sector. Such questions can be broad or focus only on specific processing activities.
2. The code of conduct facilitates understanding and practical application of the GDPR, especially to people who are not data protection experts.
3. The code of conduct clarifies the application of the GDPR in a specific sector. The code of conduct specifies organisational measures and concrete solutions which members can apply to ensure compliance with the GDPR.
- When drawing up the code of conduct, care must be taken not to repeat or reformulate the GDPR.
4. The code of conduct offers adequate safeguards for limiting the risks involved in personal data processing (such as best practices for the protection of personal data).
5. The code of conduct includes a mechanism that permits effective monitoring for ensuring compliance with the code.
1. Have you provided an explanatory statement for the draft code and all relevant supporting documentation?
2. Are you an association or other body representing categories of controllers or processors?
3. Have you provided details in your submission to substantiate that you are an effective representative body that is capable of understanding the needs of your members?
4. Have you clearly defined the processing activity or sector and the processing problems to which the code is intended to address?
5. Have you identified the territorial scope of your code and included a list of all concerned supervisory authorities (where applicable)?
6. Have you provided details to justify the identification of the competent supervisory authority?
7. Have you included mechanisms that allow for the effective monitoring of compliance with the code?
8. Have you identified a monitoring body and explained how it will fulfil the code monitoring requirements?
9. Have you included information as to the extent of consultation carried out in developing the code?
10. Have you provided confirmation that the draft code is compliant with Member State law(s) where relevant)?
11. Have you met the language requirements?
12. Does your submission include sufficient details to demonstrate the proper application of the GDPR?
Source: EPDB guideline on codes of conduct, Appendix 3