You are here:
29 March 2017 / article

GDPR - Codes of conduct and certification

Codes of conduct and certification may serve as a tool for controllers and processors to demonstrate compliance with GDPR obligations applicable to their processing operations.

The main characteristics of codes of conduct and the new certification mechanism

Under the Data Protection Directive, the use and development of codes of conduct was already encouraged. The GDPR also acknowledges the use of codes of conduct and - in addition - newly introduces a certification mechanism.

Codes of conduct and certification may serve as a tool for controllers and processors to demonstrate compliance with GDPR obligations applicable to their processing operations.

Their main characteristics/differences are the following:

  Codes of conduct Certification
Issuance Prepared by associations and other bodies representing controllers or processors Prepared by certification bodies or competent supervisory authorities
Approval Codes of conduct drafted, amended or extended by associations or representative bodies in relation to data processing activities that affect only one Member State must be submitted to the competent supervisory authority for approval and in case of processing activities in several Member States an opinion of EDPB is required Approval takes place on the basis of criteria approved by the competent supervisory authority or by the EDPB. Where the criteria are approved by the EDPB, this may result in a common certification, called the European Data Protection Seal
Validity No restrictions Issued for a maximum period of three years and may be subject to renewal or withdrawal by the certification bodies or by the competent supervisory authorities where the requirements for the certification are no longer met
Publication Competent supervisory authority registers and publishes and EDPB collates in a register and makes publicly available EDPB collates in a register and makes publicly available

Key areas covered by codes of conduct

Although Member States and the European Commission were already required to encourage the drawing up of codes of conduct under the Data Protection Directive, the GDPR goes even further and lists key areas for which the codes may provide guidance. These include fair and transparent processing, the legitimate interests pursued by controllers in specific contexts and the collection of personal data.

Powers of monitoring and certification bodies

Another new tool introduced by the GDPR in comparison to the Data Protection Directive, is the monitoring of compliance with a code of conduct by independent monitoring bodies. These bodies need to have an appropriate level of expertise in relation to the subject-matter of the code and have to be accredited for that purpose by the competent supervisory authority.

Certification bodies which have an appropriate level of expertise in relation to data protection may issue and renew certifications. They are responsible for the proper assessment leading to the certification or its withdrawal.

In order to be accredited, monitoring and certification bodies must fulfill certain requirements (such as independence and expertise).

Third country transfers

Personal data may be transferred to a third country subject to the condition that that the controller or the processor has provided appropriate safeguards. These safeguards may be provided by an approved code of conduct or an approved certification mechanism, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.


Controllers and processors who have infringed a relevant code may be suspended or excluded from the code by the monitoring body which must inform the competent supervisory authority about this fact.

In addition, infringements of the obligations of the controller and the processor regarding certification are subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Controllers and processors to do list:

  • Identify or establish associations or representative bodies that could prepare codes of conduct;
  • Determine whether you intend to adhere to an approved code of conduct / certification mechanism and do so in due course;
  • Check the accreditation of monitoring and certification bodies;
  • Take into account certifications when selecting your data processor(s).


Should you require any assistance in implementing the GDPR within your organisation, please contact us or visit our General Data Protection Regulation website for more information.

The algorithm register

The launch of an algorithm register with the objective to increase transparency about the algorithms that are being used has announced. read more

Transfers following Schrems II: more clarity

On 11 November 2020, the EDPB published (in concept) its long-awaited recommendations concerning the transfer of personal data following Schrems II. Moreover,... read more

Expansion of Dutch laboratory capacity

There has been a lot of attention for the increased number of covid-19 tests and the lack of laboratory capacity to have these tests analysed. read more