eu-code-of-conduct

EU Code of Conduct Adherence per Articles 40-41 GDPR

Overview

Articles 40 and 41 of the GDPR encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors. A code of conduct approved under Art. 40 provides a demonstrable compliance mechanism that controllers and processors can adhere to, offering evidentiary weight during supervisory authority investigations and serving as a factor in administrative fine calculations under Art. 83(2)(j).

The EDPB adopted Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, providing detailed guidance on the approval process, content requirements, monitoring body accreditation, and adherence mechanisms. As of 2024, the EDPB has issued opinions on several transnational codes and national supervisory authorities have approved domestic codes across sectors including cloud computing, direct marketing, clinical trials, and credit information.

Sentinel Compliance Group adheres to two approved codes of conduct: the EU Cloud Code of Conduct (SCOPE Europe) for its cloud processing activities and a national code for direct marketing activities approved by the Belgian DPA.

Legal Framework

Article 40 — Codes of Conduct

Art. 40(1): Member States, supervisory authorities, the Board, and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR.

Art. 40(2): Codes of conduct may cover a wide range of processing areas:

Area (Art. 40(2))	Description	Example
(a) Fair and transparent processing	Processing principles implementation	Plain-language privacy notices for sector
(b) Legitimate interests	Balancing tests for specific sectors	Legitimate interest in fraud prevention for financial services
(c) Collection of personal data	Sector-specific collection standards	Minimum data sets for insurance applications
(d) Pseudonymisation	Sector pseudonymisation techniques	Patient data pseudonymisation in clinical trials
(e) Information to the public and data subjects	Standardised transparency measures	Layered notice templates for e-commerce
(f) Exercise of data subject rights	Sector-specific DSR procedures	Standardised portability formats for telecommunications
(g) Information and protection of children	Age verification and child protection	Age-appropriate design for educational technology
(h) Technical and organisational measures (Art. 24, 25)	Sector security baselines	Minimum encryption standards for health data processors
(i) Breach notification	Sector breach assessment criteria	Severity thresholds for financial data breaches
(j) International transfers	Transfer mechanisms via codes	Binding commitments in cloud codes for third-country transfers
(k) Dispute resolution and enforcement	Out-of-court mechanisms	Mediation procedures for marketing opt-out disputes

Art. 40(3): Codes may be adhered to by controllers or processors not subject to the GDPR to provide appropriate safeguards for international transfers under Art. 46(2)(e), provided the code includes binding and enforceable commitments from the third-country controller or processor.

Art. 40(5): Draft codes must be submitted to the competent supervisory authority for approval. The supervisory authority provides an opinion on whether the code complies with the GDPR.

Art. 40(7): For transnational codes (covering processing activities in several Member States), the supervisory authority submits the draft to the EDPB, which issues an opinion. If the EDPB opinion is positive, the Board submits it to the Commission, which may adopt an implementing act giving general validity within the Union.

Article 41 — Monitoring Bodies

Art. 41(1): Monitoring of compliance with a code of conduct pursuant to Art. 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

Art. 41(2): Accreditation requirements for monitoring bodies:

Requirement	Description
Independence	Demonstrated independence from the profession and the code owner
Expertise	Appropriate level of expertise in the subject matter
Procedures	Established procedures for assessing eligibility, monitoring compliance, and reviewing adherence
Complaint handling	Procedures for handling complaints about infringements by code adherents
Transparency	Public information about monitoring activities and outcomes
No conflict of interest	Free from conflicts of interest that could impair monitoring objectivity

Art. 41(4): The monitoring body may take appropriate action in cases of infringement, including suspension or exclusion of the controller or processor from the code. It shall inform the competent supervisory authority of such actions and reasons.

EDPB Approval Requirements (Guidelines 1/2019)

Code Content Requirements

The EDPB requires approved codes to meet the following substantive criteria:

1. Added Value

The code must provide specific, practical guidance beyond merely restating GDPR provisions:

• Sector-specific interpretations of GDPR principles
• Concrete implementation guidance for the target sector
• Standardised templates, procedures, or technical measures
• Clear rules that resolve ambiguity in GDPR application to the sector

2. Scope and Applicability

• Clear definition of the sector, processing activities, and types of controllers/processors covered
• Explicit statement of which GDPR provisions the code addresses
• Geographic scope (national or transnational)
• Membership criteria and eligibility requirements

3. Representativeness

• The code owner must represent a sufficient portion of the sector
• Evidence of consultation with stakeholders including data subjects, consumer organizations, and supervisory authorities
• Support from a significant number of potential adherents

4. Effective Monitoring Mechanism

• Identification of a monitoring body meeting Art. 41 requirements
• Description of monitoring procedures including regular audits, complaint handling, and enforcement actions
• Graduated enforcement measures (warning, corrective action, suspension, exclusion)
• Annual reporting on monitoring activities

5. Complaint Handling

• Accessible complaint mechanism for data subjects
• Defined timelines for complaint investigation and resolution
• Right to escalate to the supervisory authority
• Published complaint statistics

Procedural Requirements

National Code Approval Process

1. Code Owner drafts code with stakeholder consultation
   ↓
2. Code Owner submits draft to competent Supervisory Authority
   ↓
3. Supervisory Authority assesses compliance with GDPR and EDPB Guidelines
   ↓
4. Supervisory Authority requests amendments (iterative process)
   ↓
5. Supervisory Authority approves the code (Art. 40(5))
   ↓
6. Supervisory Authority registers and publishes the code (Art. 40(6))
   ↓
7. Commission compiles approved codes in a register (Art. 40(11))

Transnational Code Approval Process

1. Code Owner drafts code with multi-country stakeholder consultation
   ↓
2. Code Owner submits draft to the lead Supervisory Authority
   ↓
3. Lead Supervisory Authority conducts initial assessment
   ↓
4. Lead Supervisory Authority submits draft to EDPB for opinion (Art. 40(7))
   ↓
5. EDPB Secretariat circulates to all concerned Supervisory Authorities
   ↓
6. EDPB issues opinion (positive, positive with conditions, or negative)
   ↓
7. If positive: Lead Supervisory Authority approves the code
   ↓
8. Commission may adopt implementing act giving general validity (Art. 40(9))

Monitoring Body Accreditation

Accreditation Process

1. Application: The proposed monitoring body submits an accreditation application to the competent supervisory authority
2. Assessment: The supervisory authority evaluates the application against Art. 41 requirements and the EDPB accreditation criteria
3. Decision: The supervisory authority grants or denies accreditation
4. Duration: Accreditation is typically granted for a period of five years, renewable
5. Review: The supervisory authority may review and revoke accreditation if the monitoring body no longer meets the requirements

Monitoring Body Functions

Function	Description	Frequency
Eligibility Assessment	Evaluate new adherence applications against code requirements	Upon application
Compliance Monitoring	Conduct periodic compliance assessments of adherents	Annual at minimum
Complaint Investigation	Investigate data subject complaints about adherent practices	Upon receipt
Corrective Action	Require adherents to remediate non-compliance	As needed
Enforcement	Suspend or exclude non-compliant adherents	As needed
Reporting	Report monitoring activities to the supervisory authority	Annual
Code Review	Recommend code amendments based on monitoring experience	Periodic

Monitoring Methodology

The monitoring body assesses adherent compliance through:

• Documentation Review: Privacy policies, processing records, DPIAs, DPAs, and other documented evidence
• Technical Assessment: Verification of technical measures specified in the code
• Interviews: Discussions with key personnel responsible for privacy compliance
• Sample Testing: Testing of specific controls (DSAR handling, consent mechanisms, deletion processes)
• Complaint Analysis: Review of data subject complaints and their resolution
• Incident Review: Assessment of data breach handling in accordance with code requirements

Adherence Declaration

Process for Adhering to an Approved Code

1. Eligibility Check: Confirm that the organization falls within the code's defined scope (sector, processing activities, geography)
2. Self-Assessment: Complete the code's self-assessment questionnaire demonstrating compliance with all code requirements
3. Evidence Compilation: Prepare evidence portfolio documenting implementation of each code requirement
4. Monitoring Body Application: Submit adherence application to the accredited monitoring body
5. Initial Assessment: The monitoring body conducts an initial compliance assessment
6. Gap Remediation: Address any gaps identified by the monitoring body
7. Adherence Decision: The monitoring body approves or denies adherence
8. Public Declaration: Organization is listed in the code's public register of adherents
9. Ongoing Monitoring: Submit to periodic monitoring assessments by the monitoring body

Adherence Documentation

The organization must maintain:

Document	Purpose	Update Frequency
Adherence Declaration	Formal commitment to comply with all code requirements	Upon adherence, renewed annually
Compliance Matrix	Mapping of code requirements to organizational controls	Updated upon changes
Evidence Portfolio	Supporting documentation for each code requirement	Maintained continuously
Annual Compliance Report	Self-assessment of continued compliance	Annual
Incident Notifications	Reports of code compliance failures to the monitoring body	Within defined timeframes

Compliance Verification

Annual Compliance Assessment

The monitoring body conducts annual compliance assessments of each adherent:

Assessment Scope:

• Review of adherence documentation and evidence portfolio
• Verification of continued eligibility
• Testing of key code requirements through sampling
• Review of complaints received and their resolution
• Review of any incidents or breaches and their handling
• Assessment of any changes to processing activities since last assessment

Assessment Outcomes:

Outcome	Criteria	Consequence
Compliant	All code requirements met	Continued adherence, next assessment in 12 months
Conditionally Compliant	Minor gaps identified	Remediation required within 90 days, follow-up assessment
Non-Compliant	Material gaps in one or more code requirements	Corrective action plan required; suspension if not remediated within defined timeframe
Excluded	Repeated or severe non-compliance	Removal from code adherent register, notification to supervisory authority

Complaint-Triggered Verification

When a data subject complaint is received:

1. Monitoring body acknowledges receipt within 5 business days
2. Monitoring body conducts preliminary assessment within 15 business days
3. If the complaint is substantiated, the monitoring body:
   • Notifies the adherent and requires a response within 15 business days
   • Conducts an investigation including evidence gathering
   • Determines whether a code infringement occurred
   • If infringement confirmed: requires remediation and may impose sanctions
4. Monitoring body communicates the outcome to the complainant within 60 days of receipt
5. If the complainant is dissatisfied, the monitoring body provides information on escalation to the supervisory authority

Approved Codes of Conduct (Notable Examples)

EU Cloud Code of Conduct (SCOPE Europe)

• Approved: May 2021 by Belgian DPA (lead SA), positive EDPB opinion
• Monitoring Body: SCOPE Europe AISBL (accredited by Belgian DPA)
• Scope: Cloud infrastructure (IaaS), platform (PaaS), and software (SaaS) service providers acting as data processors
• Key Provisions: Data localization transparency, sub-processor management, data portability, data deletion, security measures, breach notification
• Adherents: Major cloud providers including Google Cloud, IBM Cloud, Oracle Cloud, Salesforce, SAP, Cisco

EU Data Governance Code of Conduct for Cloud Infrastructure Service Providers (CISPE)

• Approved: 2023 by CNIL (France)
• Scope: Cloud infrastructure service providers
• Key Provisions: Data sovereignty, processor obligations, transparency

FEDMA Code of Practice for Direct Marketing (Federation of European Direct and Interactive Marketing)

• Status: Under development for EDPB submission
• Scope: Direct marketing industry across EU
• Key Provisions: Consent for electronic marketing, legitimate interest assessments, opt-out mechanisms

Benefits of Code of Conduct Adherence

Regulatory Benefits

1. Art. 24(3): Adherence to an approved code may be used as an element to demonstrate compliance with controller obligations
2. Art. 28(5): Adherence by a processor may be used as an element to demonstrate sufficient guarantees per Art. 28(1)
3. Art. 32(3): Adherence may be used as an element to demonstrate compliance with security obligations
4. Art. 35(8): Compliance with approved codes shall be taken into due account when assessing DPIA impact
5. Art. 46(2)(e): Codes with binding commitments can serve as appropriate safeguards for international transfers
6. Art. 83(2)(j): Adherence to approved codes is a factor supervisory authorities consider when deciding on administrative fines (mitigating)

Business Benefits

• Competitive differentiation through demonstrated compliance
• Simplified vendor due diligence for customers
• Sector-specific best practice alignment
• Structured framework for privacy compliance
• External validation through monitoring body oversight

Sentinel Compliance Group Code of Conduct Implementation

• EU Cloud Code of Conduct: Adhered since September 2022; annual assessment by SCOPE Europe monitoring body; no compliance findings in 2024 assessment
• Scope Covered: Cloud SaaS processing activities across EU data centers (Frankfurt, Amsterdam, Dublin)
• Compliance Matrix: 156 code requirements mapped to organizational controls
• Annual Assessment: Last completed October 2024, outcome: Compliant
• Data Subject Complaints via Code: 3 complaints received in 2024; all resolved within 45 days; none escalated to supervisory authority
• Transfer Mechanism: Exploring use of Art. 46(2)(e) code-based transfer mechanism for UK adequacy contingency planning