Article 40 of GDPR: Codes of Conduct
Article 40 of GDPR relates to the possibility of drawing up codes of conduct by the authorities governing GDPR helping micro, small and medium businesses comply with GDPR.
Drawing up codes of conduct (Article 40(1) GDPR)
Considering the obligations of GDPR can be quite onerous for micro, small and medium-sized companies, the regulation invites the supervisory authorities, the Board and the Commission to encourage the implementation of codes of conduct for the application of GDPR in different processing sectors.
Associations may prepare codes of conduct (Article 40(2) GDPR)
In addition to the supervisory authorities, the Board and the Commission, associations or other bodies representing categories of data controllers or data processors can prepare codes of conduct for the application of GDPR taking into consideration the following:
- Fair and transparent processing (Article 40(2)(a) GDPR)
- Legitimate interest of the controller or processor (Article 40(2)(b) GDPR)
- The data collection process (Article 40(2)(c) GDPR)
- Pseudonymization of personal data (Article 40(2)(d) GDPR)
- Information disclosed to the data subjects (Article 40(2)(e) GDPR)
- Data subject exercise of their rights (Article 40(2)(f) GDPR)
- The protection of children (Article 40(2)(g) GDPR)
- Technical and organizational measures to protect personal data (Article 40(2)(h) GDPR)
- Data breach notification to the supervisory authority and data subjects (Article 40(2)(i) GDPR)
- Transfer of personal data outside of European Union member states (Article 40(2)(j) GDPR)
- Dispute resolution processes between controllers and data subjects (Article 40(2)(k) GDPR)
Adherence to code of conduct by third country organizations (Article 40(3) GDPR)
Data controllers and data processors not specifically subject to GDPR in accordance with its Article 3 relating to GDPR’s territorial scope may make a binding and enforceable commitment, by contract or other legal instruments, to abide by the codes of conduct subjecting them to provide appropriate safeguard to the right of data subjects.
Monitoring mechanisms in the code of conduct (Article 40(4) GDPR)
When drawing up a code of conduct, care must be given to ensure that it provides for a monitoring mechanism allowing accredited bodies to ensure data controllers and data processor comply with the provisions of the code of conduct and have the powers to undertake to apply it.
The powers granted to an accredited body does not affect the powers given to supervisory authorities under GDPR.
Code of conduct approval by the supervisory authority (Article 40(5) GDPR)
When an association or a body intends to adopt a code of conduct, it must submit a draft of the same to the competent supervisory authority for approval.
The supervisory authority will issue an opinion as to the adequacy of the code of conduct and approve the draft if it allows for a sufficient safeguard of the rights under GDPR.
Code of conduct impacting one EU country (Article 40(6) GDPR)
When a draft code of conduct is approved but does not concern data processing activities involving several European Union member states, the supervisory authority must publish the code.
Code of conduct impacting several EU countries (Article 40(7) GDPR)
When a draft code of conduct relates to data processing activities impacting several EU member countries, the supervisory authority should submit it to the Board for an opinion before approving the draft.
The European Union Data Protection Board will then issue its views on whether or not the code of conduct provides for the appropriate levels of safeguard intended for the data processing.
Board’s opinion to the Commission (Article 40(8) GDPR)
When the European Union Data Protection Board approves a draft code of conduct it had received from a supervisory authority, it should submit its opinion to the European Commission.
Implementing acts of the European Commission (Article 40(9) GDPR)
The European Commission has the ability to decide, by way of implementing acts, to render the code of conduct to have general validity within the EU.
The implementing acts will follow the procedures outlined in Article 93(2) of GDPR.
Publicity of the approved code of conduct (Article 40(10) GDPR)
When the European Commission approves a code of conduct by way of implementing acts for general validity across the EU nations, it must ensure that the implementing act obtains the appropriate level of publicity.
Implementing act registry (Article 40(11) GDPR)
The European Union Data Protection Board should create a register where all the approved codes of conduct are made publicly available.
Recitals applicable to Article 40 of GDPR
Relevant Recitals: 98, 99
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 40 or relevant recitals
GDPR Text: Article 40 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)