Article 41 GDPR (Monitoring of Approved Codes of Conduct)

Article 41 of GDPR: Monitoring of Approved Codes of Conduct

Article 41 of GDPR gives power to accredited bodies to ensure organizations comply with the code of conduct to which they adhered to.

Power of accredited bodies (Article 41(1) GDPR)

GDPR provides the necessary power to the accredited bodies, having a degree of expertise and knowledge with respect to data protection and privacy laws, to monitor those companies having adhered to a code of conduct.

The powers given to these accredited bodies does not affect the powers granted to the supervisory authorities under GDPR.

Accreditation of bodies under GDPR (Article 41(2) GDPR)

To be accredited under GDPR, bodies who wish to monitor compliance with a code of conduct must demonstrate the following:

  1. Have subject-matter expertise and demonstrate it can act independently to the satisfaction of the supervisory authority (Article 41(2)(a) GDPR)
  2. Demonstrate an established procedure allowing the body to assess a company’s eligibility to apply for the code of conduct, monitor the company and review its own operations (Article 41(2)(b) GDPR)
  3. Implement procedures allowing data subjects to file complaints and for those complaints to be handled based on the provisions of the code of conduct (Article 41(2)(c) GDPR)
  4. It is not in a conflict of interest of any kind (Article 41(2)(d) GDPR)

Accreditation criteria (Article 41(3) GDPR)

The supervisory authority should submit the draft of the accreditation criteria of a body to the EU Data Protection Board in accordance with the consistency mechanism referred to under Article 63 of GDPR.

Duties of the accredited body (Article 41(4) GDPR)

The accredited body must take appropriate actions in the event a data controller or data processor infringes the code of conduct.

Such measures can include the suspension or even the exclusion of the company from the code of conduct.

If a company is suspended or excluded, the accredited body must inform the competent supervisory authority of its actions and the justification for its decision.

Revocation of accreditation (Article 41(5) GDPR)

The competent supervisory authority must revoke an accredited body in the following instances:

  1. The body no longer meets the accreditation criteria 
  2. The body infringes GDPR

Public authorities excluded (Article 41(6) GDPR)

The provisions of Article 41 in regards to accreditation and the monitoring of approved codes of conduct do not apply to public authorities and their bodies.

Recitals applicable to Article 41 of GDPR

Relevant Recitals: None

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 41 or relevant recitals


GDPR Text: Article 41 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)