The EU General Data Protection Regulation (GDPR) provides for far-reaching self-responsibility on the part of controllers and processors.
Code of conduct
The creation of codes of conduct for associations and organisations in accordance with Art. 40 GDPR provides a method of self-regulation to eliminate legal uncertainties in connection with the GDPR and the processing of personal data within a specific industry. The General Data Protection Regulation provides for the development of codes of conduct for sectors to be promoted in principle, which are intended to contribute to the proper application of the GDPR in accordance with the specifics of the individual processing areas and the special needs of micro, small and medium-sized enterprises in particular.
Sector-specific rules of conduct for associations
Associations and other organisations representing specific groups of controllers or processors may draw up, amend or extend their own codes of conduct to clarify the application of the GDPR, for example in the following areas
(a) fair and transparent processing;
b) the legitimate interests of the controller in certain contexts
c) collection of personal data;
d) pseudonymisation of personal data;
e) Informing the public and data subjects;
f) exercising the rights of data subjects;
(g) information and protection of children and the manner in which the consent of the holder of parental responsibility for the child is to be obtained
(h) the measures and procedures referred to in Articles 24 and 25 and the measures relating to security of processing referred to in Article 32
(i) the notification of personal data breaches to supervisory authorities and the notification of such personal data breaches to the data subject
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court procedures and other dispute resolution procedures for the settlement of disputes between controllers and data subjects in relation to processing, without prejudice to the rights of data subjects under Articles 77 and 79.
Role of the monitoring body as supervisory authority
The monitoring of compliance with codes of conduct pursuant to Article 40 GDPR shall be carried out by a body which has the appropriate expertise in the subject matter of the code of conduct and which has been accredited for this purpose by the competent supervisory authority.
A monitoring body may be accredited for the purpose of monitoring compliance with codes of conduct if it
a) has demonstrated its independence and expertise in the subject matter of the code of conduct to the satisfaction of the competent supervisory authority
b) has established procedures that enable it to assess whether controllers and processors can apply the code of conduct, to monitor compliance with the code of conduct by controllers and processors and to regularly review the application of the code of conduct;
(c) has established procedures and structures to investigate complaints about breaches of the code of conduct or the manner in which the code of conduct is being or has been applied by the controller or processor and to make those procedures and structures transparent to data subjects and the public; and
d) has demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not give rise to a conflict of interest.
Associations and other organisations that represent controllers or processors in certain sectors therefore have the option of drawing up their own codes of conduct (CoC) in accordance with Art. 40 GDPR and submitting their own application for approval of these codes of conduct to the data protection authority. The data protection authority reviews these CoCs, issues an opinion on the requested codes of conduct or approves them with a decision.
‘Codes of conduct therefore represent guidelines for dealing with data protection in practice for certain sectors. They can be used to harmonise and standardise the data protection practices of controllers or processors within a specific industry.
Accredited monitoring body according to Art 41 GDPR
On 1 October 2020, lawvision information systems GmbH was accredited as an external monitoring body for the ‘Code of Conduct for Data Protection of the Professional Association of Employers of Private Educational Institutions’ (‘BABE-CoC’) pursuant to Art 41 of the General Data Protection Regulation in Austria in accordance with the provisions of the Regulation of the Data Protection Authority on the requirements for a body for monitoring compliance with rules of conduct (Monitoring Body Accreditation Regulation - ÜStAkk-V).
Guidelines referring to § 6 ÜStAkk-V (Überwachungsstellen-Akkreditierungsverordnung)
Other services
In addition, lawvision offers a range of consulting services relating to data protection, data security and IT. Further information on data protection consulting & data protection management systems
For further questions about the services and activities of the monitoring centre, please contact us on +43 1 997 1190 or write to us: Contact details