You are here:
29 March 2017 / article

GDPR - Codes of conduct and certification

Codes of conduct and certification may serve as a tool for controllers and processors to demonstrate compliance with GDPR obligations applicable to their processing operations.

The main characteristics of codes of conduct and the new certification mechanism

Under the Data Protection Directive, the use and development of codes of conduct was already encouraged. The GDPR also acknowledges the use of codes of conduct and - in addition - newly introduces a certification mechanism.

Codes of conduct and certification may serve as a tool for controllers and processors to demonstrate compliance with GDPR obligations applicable to their processing operations.

Their main characteristics/differences are the following:

  Codes of conduct Certification
Issuance Prepared by associations and other bodies representing controllers or processors Prepared by certification bodies or competent supervisory authorities
Approval Codes of conduct drafted, amended or extended by associations or representative bodies in relation to data processing activities that affect only one Member State must be submitted to the competent supervisory authority for approval and in case of processing activities in several Member States an opinion of EDPB is required Approval takes place on the basis of criteria approved by the competent supervisory authority or by the EDPB. Where the criteria are approved by the EDPB, this may result in a common certification, called the European Data Protection Seal
Validity No restrictions Issued for a maximum period of three years and may be subject to renewal or withdrawal by the certification bodies or by the competent supervisory authorities where the requirements for the certification are no longer met
Publication Competent supervisory authority registers and publishes and EDPB collates in a register and makes publicly available EDPB collates in a register and makes publicly available

Key areas covered by codes of conduct

Although Member States and the European Commission were already required to encourage the drawing up of codes of conduct under the Data Protection Directive, the GDPR goes even further and lists key areas for which the codes may provide guidance. These include fair and transparent processing, the legitimate interests pursued by controllers in specific contexts and the collection of personal data.

Powers of monitoring and certification bodies

Another new tool introduced by the GDPR in comparison to the Data Protection Directive, is the monitoring of compliance with a code of conduct by independent monitoring bodies. These bodies need to have an appropriate level of expertise in relation to the subject-matter of the code and have to be accredited for that purpose by the competent supervisory authority.

Certification bodies which have an appropriate level of expertise in relation to data protection may issue and renew certifications. They are responsible for the proper assessment leading to the certification or its withdrawal.

In order to be accredited, monitoring and certification bodies must fulfill certain requirements (such as independence and expertise).

Third country transfers

Personal data may be transferred to a third country subject to the condition that that the controller or the processor has provided appropriate safeguards. These safeguards may be provided by an approved code of conduct or an approved certification mechanism, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.


Controllers and processors who have infringed a relevant code may be suspended or excluded from the code by the monitoring body which must inform the competent supervisory authority about this fact.

In addition, infringements of the obligations of the controller and the processor regarding certification are subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Controllers and processors to do list:

  • Identify or establish associations or representative bodies that could prepare codes of conduct;
  • Determine whether you intend to adhere to an approved code of conduct / certification mechanism and do so in due course;
  • Check the accreditation of monitoring and certification bodies;
  • Take into account certifications when selecting your data processor(s).


Should you require any assistance in implementing the GDPR within your organisation, please contact us or visit our General Data Protection Regulation website for more information.

French payroll taxes as of 1 January 2019

Financial Regulatory News Updates - May 2019

The Financial Regulatory News Updates: an overview in which our Banking and Finance Practice Group highlights: read more
How will the BREXIT affect our company?

The most non-cooperative jurisdictions for tax, according to the EU black list

The Economic and Financial Affairs Council (ECOFIN) determined in 2017 a list of 17 non-cooperative jurisdictions: the EU black list. This list was established... read more
Out with the old, in with the new: Belgian Privacy Commission becomes “Belgian Data Protection Authority”

GDPR - Security of personal data and what to do in the event of a data breach

This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable... read more