Codes of Conduct
Member States, supervisory authorities, the Committee and the Commission shall promote the drawing up of codes of conduct which, taking into account the specificities of the various data processing sectors and the specific needs of micro, small and medium-sized enterprises, should contribute to the correct application of this Regulation.
Associations and other bodies representing categories of controllers or processors may establish codes of conduct, or amend or expand such codes, to further explain the application of this Regulation, such as with respect to:
proper and transparent processing;
the legitimate interests served by processing controllers in a specific context;
data collection;
the pseudonymization of personal data;
the information provided to the public and stakeholders;
the exercise of the rights of data subjects;
the information provided to and the protection of children and the manner in which consent is obtained from those with parental responsibility for children;
the measures and procedures referred to in Articles 24 and 25 and the security measures for processing referred to in Article 32;
notification of personal data breaches to supervisory authorities and communication of those personal data breaches to data subjects;
the transfer of personal data to third countries or international organizations; or
out-of-court procedures and other procedures for resolving disputes between controllers and data subjects relating to processing, without prejudice to the rights of data subjects under Articles 77 and 79.
In addition to controllers or processors subject to this Regulation, codes of conduct adopted pursuant to paragraph 5 of this Article and declared generally valid pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors not subject to this Regulation pursuant to Article 3 in order to provide for appropriate safeguards for transfers of personal data to third countries or international organizations under the conditions referred to in point (e) of Article 46(2). Those controllers or processors shall, through contractual or other legally binding instruments, make binding and enforceable commitments to implement those appropriate safeguards, including as regards the rights of data subjects.
A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms enabling the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with the provisions of the code by controllers or processors who undertake to apply it, without prejudice to the duties and powers of the supervisory authorities competent pursuant to Article 55 or 56.
The associations and other bodies referred to in paragraph 2 of this Article which intend to draw up a code of conduct or to amend or extend an existing code of conduct shall submit the draft code of conduct, amendment or extension to the competent supervisory authority pursuant to Article 51. The supervisory authority shall deliver an opinion on whether the draft code of conduct, amendment or extension is in conformity with this Regulation, and shall approve that draft code of conduct, amendment or extension if it considers that it contains sufficient appropriate safeguards.
Where the draft code of conduct, amendment or extension is approved in accordance with paragraph 5, and if the code of conduct in question does not cover processing operations in different Member States, the supervisory authority shall register and publish the code of conduct.
Where a draft code of conduct relates to processing operations in several Member States, the competent supervisory authority, acting in accordance with Article 55, shall, before adopting the code of conduct, amendment or extension, submit it to the Committee, through the procedure referred to in Article 63, which shall give its opinion on whether the draft code of conduct, amendment or extension is in conformity with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides for appropriate safeguards.
Where the opinion referred to in paragraph 7 confirms that the code of conduct, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Committee shall submit its opinion to the Commission.
The Commission may, by means of implementing acts, determine that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article shall have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
The Commission shall ensure that appropriate publicity is given to approved codes which it has declared to be generally valid in accordance with paragraph 9.
The Committee collects all approved codes of conduct, amendments and extensions in a register and makes them publicly available through appropriate channels.
