Article 41

Monitoring approved codes of conduct

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct carried out pursuant to Article 40 may be carried out by a body having the appropriate expertise relating to the subject matter of the code of conduct and accredited for that purpose by the competent supervisory authority.

2. A body referred to in paragraph 1 may be accredited for this purpose to monitor compliance with a code of conduct if it:

   • demonstrated to the satisfaction of the competent supervisory authority its independence and expertise in relation to the subject matter of the Code of Conduct;

   • established procedures by which it can assess the eligibility of relevant controllers and processors to apply the Code of Conduct, monitor the latter's compliance with the provisions of the Code of Conduct, and periodically review the operation of the Code of Conduct;

   • has established procedures and structures to address complaints about violations of the Code of Conduct or the manner in which it has been or is being implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

   • demonstrates to the satisfaction of the competent supervisory authority that his duties and powers do not lead to a conflict of interest.

3. The competent supervisory authority shall submit the draft requirements for accreditation of a body referred to in paragraph 1 of this Article to the Committee in accordance with the consistency mechanism referred to in Article 63.

4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take the necessary measures in the event of a breach of the Code of Conduct by a controller or processor, including suspension or exclusion of the controller or processor concerned from the Code of Conduct. The body shall inform the competent supervisory authority of such measures and the reasons for them.

5. The competent supervisory authority shall withdraw the accreditation of a body referred to in paragraph 1 if the requirements for accreditation are not or are no longer met or if the measures taken by the body violate this Regulation.

6. This article does not apply to processing by government agencies and bodies.