GDPR certification and codes of conduct

• Approved codes of conduct and certification are used for voluntary GDPR self-regulation and offer a number of advantages.
• Differences exist in terms of scope, for example: While codes of conduct are drawn up to help make GDPR application easier internally, the purpose of certification is outward transparency.
• It makes sense to use both instruments. A combination of the two can send a clear signal that the company has a very responsible attitude to data.

There is a paragraph referring to approved certification mechanisms and approved codes of conduct in the General Data Protection Regulation (GDPR). They are also often mentioned together elsewhere as proof of compliance with certain GDPR obligations. However, the two instruments differ considerably. Here we look at both, and clarify whether it makes sense to use them as alternatives or on a complementary basis.

Let’s look at approved codes of conduct first (Art. 40 GDPR). They serve as a voluntary means of self-regulation and can be drawn up by associations and other representative bodies for the purpose of specifying the interpretation and application of the GDPR for certain sectors. Such codes of conduct may apply to controllers and processors. An example of a code of conduct that applies purely to processors is the EU Cloud Code of Conduct.

Member States and supervisory authorities, as well as the European Data Protection Board (EDPB) and the EU Commission, have a role in expressly promoting codes of conduct and encouraging associations to draw up codes of conduct – as with certification mechanisms. For those who use codes of conduct, some advantages explicitly mentioned in the law act as an incentive:

• Demonstration of sufficient guarantees by the processor
• Demonstration that controllers’ and processors’ technical and organisational measures provide an appropriate level of security
• Risk mitigation in the conduct of data protection impact assessments
• Suitable guarantees for transfers to third countries as well as the recipient’s legally binding and enforceable obligations
• Mitigation in the imposition of fines

A code of conduct must contain a mechanism that ensures compliance with it. A duly installed monitoring body must have demonstrated the required independence and expertise, and must be accredited by the competent supervisory authority. The monitoring body may come from within the association. For example, the monitoring body for the EU Cloud Code of Conduct is the Belgian SCOPE Europe b.v.b.a, a subsidiary of Selbstregulierung Informationswirtschaft e.V.

Details of the monitoring process must be defined in the relevant code of conduct. However, there is broad scope for definition in comparison with certification processes.

For codes of conduct to have legal effect and the aforementioned advantages to be gained, they must be approved by the competent supervisory authority. If a code of conduct is restricted to national level, it is only registered and published by the national competent authority. If a code of conduct concerns processing activities in more than one Member State, it must be submitted to the EDPB in addition.

A detailed look at certifications and data protection seals and marks (Art. 42 GDPR) shows that they also serve as voluntary proof of compliance with GDPR for controllers and processors in relation to data processing operations. Therefore, they too should be expressly promoted by the Member States, supervisory authorities and the EDPB.

The processing operations to be certified must meet the criteria approved by the competent supervisory authority (or EDPB). This is verified by an accredited monitoring body on a regular basis (Art. 43 GDPR). A distinction is made between simple certification mechanisms with a national scope and the European Data Protection Seal for EU-wide certification. However, controllers or processors can potentially get any processing operation certified provided this is permitted by the chosen certification scheme. For certifications, too, the following advantages are an incentive:

• Demonstration of sufficient guarantees by the processor
• Demonstration that controllers’ and processors’ technical and organisational measures provide an appropriate level of security
• Suitable guarantees for transfers to third countries as well as the recipient’s legally binding and enforceable obligations
• Mitigation in the imposition of fines
• Demonstration of compliance with data protection requirements based on technical set-up and default privacy settings

At first glance, both instruments appear quite similar. However, there are essential differences – specifically with regard to the benefits they offer. For instance, approved codes of conduct are beneficial for data protection impact assessments – unlike certification mechanisms. However, the latter can be used to demonstrate data protection based on technical set-up and privacy-friendly default settings.

There are also differences in terms of scope: While the purpose of codes of conduct is to help make GDPR application easier by providing internal self-regulation, certifications are an outward tool. The purpose of certification is to provide transparency by evidencing that certain processing operations comply with GDPR and meet a high standard of data protection.

Thus, they require an independent assessment as to whether the processing operations in question actually comply with the criteria. Incidentally, there are very strict accreditation criteria for certification bodies.

The 1995 Data Protection Directive provided for codes of conduct, but there were only a modest number at the time; moreover, they did not include any monitoring obligation. Compulsory monitoring, as with the certification mechanism, only came with the introduction of the GDPR. This suggests that the legislator does not consider codes of conduct to be sufficient on their own.

Certifications, moreover, are not only for improving GDPR compliance but can also provide a competitive edge by giving the data subject a quick overview of the data security level of relevant products and services. Obviously this is not limited to data subjects and also applies to B2B clients when comparing potential processors. This also applies to codes of conduct to a certain extent. But one can assume that most companies in a sector generally adhere to the codes of conduct. This lessens the competitive advantage:If all competitors subscribe to a code of conduct, there is no longer any distinction between them.

Another advantage of certifications over codes of conduct is their relative flexibility. If the criteria permit, controllers or processors are free to choose which processing activities to certify. These may be the highest-risk operations, for example activities involving the largest volumes of data or operations that attract the most attention from customers or supervisory authorities. Codes of conduct, on the other hand, are limited to the areas determined by the issuing association: Given the nature of them and the fact that they are intended to apply to a large number of companies, they must have a certain level of abstraction.

Fortunately, certification mechanisms and codes of conduct are not mutually exclusive. So, controllers and processors that already adhere to codes of conduct can benefit from certification. To do so, the processing operations they should get certified are those aligned with GDPR requirements laid down in codes of conduct. They can thus demonstrate that these operations comply with both the GDPR and the codes of conduct. The EDPB also emphasises that certification and codes of conduct should be “interoperable”.

To conclude, codes of conduct and certifications can complement one another. Both instruments have clear individual advantages, but combining the two can send a clear signal that the company takes a responsible attitude to personal data. In short, controllers and processors should absolutely have their trade organisations draw up codes of conduct, get them approved and adhere to them if the opportunity arises. In addition, they should always consider additional certifications to gain further advantages.

We support you
Do you want to get certified? Our experts are happy to advise you. Please contact us if you are interested in certification and /or codes of conduct.