GDPR code of conduct

A group of organisations, such as a branch of industry or a sector, can draw up a GDPR code of conduct for the way in which these organisations handle personal data. The group may then ask the Dutch Data Protection Authority (Dutch DPA) to assess the code of conduct. A code of conduct is not mandatory.

On this page

Joining a code of conduct

If the Dutch DPA has approved the code of conduct, organisations within the group can join the code of conduct. This means that they undertake to comply with the provisions set out in the code of conduct for the protection of personal data. Thus, a code of conduct is a way for organisations to show that they comply with the privacy laws.

Requirements for a code of conduct

As a representative of a specific group, you can ask the Dutch DPA to approve your code of conduct. The Dutch DPA will approve the code of conduct if it meets the requirements for a code of conduct. It is very important in this respect that the code of conduct offers a concrete elaboration of the General Data Protection Regulation (GDPR).
When reviewing your application, the Dutch DPA will in any case look at the following requirements:

  • As the applicant, you are a representative of a specific group of controllers or processors. This group may be a branch of industry or a sector. The group may also consist of controllers or processors that come from diverse branches of industry or sectors, but perform the same type of processing operations.
  • As the applicant, you have consulted with stakeholders when drawing up your code of conduct. And where possible with data subjects. You show that you have taken their contributions and points of view into account.
  • The code of conduct is in accordance with the GDPR and offiers sufficient appropriate safeguards.
  • The code of conduct is more concrete than the GDPR.
  • The code of conduct is an accurate, concretised application of the GDPR and ensures an effective implementation of the GDPR by the organisations in your group.
  • The code of conduct contains mechanisms that enable a supervisory body to carry out the mandatory supervision of compliance with the code of conduct.
  •  Do you derogate from the statutory provisions by including only part of a statutory provision in your code of conduct? Or by not literally taking over, but paraphrasing a statutory provision? Then you explain why you did this.

EDPB guidelines on codes of conduct

The EDPB has drawn up guidelines for codes of conduct and monitoring bodies:

The Dutch DPA uses these guidelines, among others, to review codes of conduct. That is why it is important that you take the guidelines into account in your code of conduct.
 

Tips for drawing up a code of conduct

The following tips may help you ensure that your code of conduct meets the requirements:

  • make standards concrete;
  • contribute to the application and implementation of the GDPR;
  • explain the added value;
  • indicate GDPR parts;
  •  look at the testability.

Make standards concrete

Explain how the organisations in your group will meet the standards, not that they will meet them. Do therefore not incorporate fully copied texts from the GDPR (or other relevant legislation) in your code of conduct without group-specific explanation or explanation of how organisations in your group apply the sections of the law.


Make sure that the elaborated standards are unequivocal, concrete, feasible and enforceable (testable). So do not say, for example: ‘we have legal grounds for our processing operations’ or ‘we do not retain data any longer than necessary’. Set out in detail which legal bases apply for which processing operations in your group. And set out in detail which retention periods apply for which processing operations.

Contribute to the application and implementation of the GDPR

Contribute to the correct application and the effective implementation of the GDPR in your group. For example by:
• drawing up criteria that enable you to safeguard the principle of data minimisation;
• considering how your group can apply the principles of privacy by design and privacy by default, taking into account the specific characteristics of your group;
• describing in your code of conduct which specific types of processing you can identify that organisations in your group can record in their processing register.

Explain the added value

Explain why the code of conduct has added value for your group.

Indicate GDPR parts

Does your code of conduct only pertain to specific parts of the GDPR? And does the code of conduct therefore not pertain to the entire GDPR? Then clarify to which parts the code of conduct exactly pertains.

Look at the testability

Check whether the various provisons of your code of conduct can relatively easily be tested. This will give you an indication of whether your code of conduct is sufficiently concrete.

Approval of the code of conduct by the Dutch DPA

Associations or other bodies that represent a specific group of organisations may ask the Dutch DPA for approval of a new code of conduct. Or for approval of an amendment to or extension of an existing code of conduct.

Steps for approval of a code of conduct

The procedure for approval of a code of conduct comprises a number of steps:

  • Draft decision: The Dutch DPA first takes a draft decision to approve or reject the code of conduct. The Dutch DPA publishes this draft decision in the Government Gazette and on its website.
  • Opinion: After publication of the draft decision, stakeholders may inspect the documents. If they do not agree with the draft decision, they can give an opinion. This stage has a duration of 6 weeks.
  • Final decision: After this, the Dutch DPA takes a final decision. In doing so, the Dutch DPA takes any opinions into account. The Dutch DPA publishes this decision in the Government Gazette and on its website. The Dutch DPA must take the final decision within no more than 6 months. Unless it concerns a very complex or controversial subject. In that case, the Dutch DPA may extend this period of 6 months by a reasonable period.
  • Appeal: Does the applicant or another stakeholder disagree with the decision? Then that party can lodge an appeal with the court within 6 weeks after publication of the decision. Has the appeal period expired and no one has lodged an appeal? Then the decision is irrevocable. Note: does a stakeholder want to lodge an appeal against the decision, but did this party not give an opinion at an earlier stage? Then this could mean that this party will not be able to lodge an appeal. This is assessed by the court, not by the Dutch DPA.
  • Approval of an international code of conduct: Does a code of conduct pertain to processing activities in several EU member states? Then the Dutch DPA will submit the code of conduct to the EDPB. Only until after the advice from the EDPB will the Dutch DPA take a decision about the requested approval of the code of conduct. Does the EDPB think that the code of conduct is in accordance with the GDPR and that it offers sufficient appropriate safeguards? Then the EDPB can submit this advice to the European Commission. The latter has the option to declare the approved code of conduct generally applicable within the EU.

Your privacy when applying for approval of the code of conduct

When you apply for approval of your code of conduct, the Dutch DPA will process data of you. You can read in the privacy statement of the Dutch DPA how the Dutch DPA handles your personal data.

Register of approved codes of conduct

Supervision of compliance with codes of conduct

The GDPR states that there must be specific supervision of compliance with codes of conduct, in addition to the regular supervision by the relevant EU data protection agency (in the Netherlands: the Dutch DPA). And that every code of conduct must have mechanisms that enable a supervisory body to carry out this mandatory supervision. This supervisory body may be accredited by the Dutch DPA or another European supervisor.
The supervisory body:

  • monitors compliance with the provisions of the code of conduct, among other things by periodically testing the effect of the code of conduct;
  • assesses whether controllers and processors qualify for applying the code of conduct;
  • deals with complaints regarding infringements of the code of conduct.

General requirements for accreditation

Article 41 GDPR contains a number of general requirements for accreditation. A supervisory body may be accredited if the body:

  • has demonstrated its independence and expertise regarding the subject matter of the code of conduct;
  • has adopted procedures using which the body can determine whether the controlers and processors involved are permitted to apply the code of conduct;
  • can monitor compliance with the code of conduct and regularly test the effect of the code of conduct;
  • has adopted procedures for dealing with complaints regarding infringements of the code of conduct or the way in which a controller or processor handles the code of conduct;
  • has made these procedures transparent for data subjects and the public;
  • demonstrates that its tasks and responsibilities do not lead to a conflict of interest.

Specific requirements for accreditation

Every data protection agency in the EU has drawn up specific requirements for the accreditation of a supervisory body and submitted them to the EDPB for advice. These specific requirements are a further elaboration of the general requirements from the GDPR. These are the requirements drawn up by the Dutch DPA:

Current