GDPR – Codes of conduct and certification

This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018, compared to the current data protection regime as set out in Directive 95/46/EC (Data Protection Directive). 

This month’s issue discusses “Codes of conduct and certification”.

The main characteristics of codes of conduct and the new certification mechanism
Under the Data Protection Directive, the use and development of codes of conduct was already encouraged. The GDPR also acknowledges the use of codes of conduct and - in addition - newly introduces a certification mechanism.

Codes of conduct and certification may serve as a tool for controllers and processors to demonstrate compliance with GDPR obligations applicable to their processing operations.

Their main characteristics/differences are the following:

Codes of Conduct



Prepared by associations and other bodies representing controllers or processors

Prepared by certification bodies or competent supervisory authorities


Codes of conduct drafted, amended or extended by associations or representative bodies in relation to data processing activities that affect only one Member State must be submitted to the competent supervisory authority for approval and in case of processing activities in several Member States an opinion of EDPB is required

Approval takes place on the basis of criteria approved by the competent supervisory authority or by the EDPB. Where the criteria are approved by the EDPB, this may result in a common certification, called the European Data Protection Seal


No restrictions

Issued for a maximum period of three years and may be subject to renewal or withdrawal by the certification bodies or by the competent supervisory authorities where the requirements for the certification are no longer met


Competent supervisory authority registers and publishes and EDPB collates in a register and makes publicly available

EDPB collates in a register and makes publicly available

Key areas covered by codes of conduct
Although Member States and the European Commission were already required to encourage the drawing up of codes of conduct under the Data Protection Directive, the GDPR goes even further and lists key areas for which the codes may provide guidance. These include fair and transparent processing, the legitimate interests pursued by controllers in specific contexts and the collection of personal data.

Powers of monitoring and certification bodies
Another new tool introduced by the GDPR in comparison to the Data Protection Directive, is the monitoring of compliance with a code of conduct by independent monitoring bodies. These bodies need to have an appropriate level of expertise in relation to the subject-matter of the code and have to be accredited for that purpose by the competent supervisory authority.

Certification bodies which have an appropriate level of expertise in relation to data protection may issue and renew certifications. They are responsible for the proper assessment leading to the certification or its withdrawal.

In order to be accredited, monitoring and certification bodies must fulfill certain requirements (such as independence and expertise).

Third country transfers
Personal data may be transferred to a third country subject to the condition that that the controller or the processor has provided appropriate safeguards. These safeguards may be provided by an approved code of conduct or an approved certification mechanism, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

Controllers and processors who have infringed a relevant code may be suspended or excluded from the code by the monitoring body which must inform the competent supervisory authority about this fact.

In addition, infringements of the obligations of the controller and the processor regarding certification are subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Controllers and processors to do list:

  • Identify or establish associations or representative bodies that could prepare codes of conduct;
  • Determine whether you intend to adhere to an approved code of conduct / certification mechanism and do so in due course;
  • Check the accreditation of monitoring and certification bodies;
  • Take into account certifications when selecting your data processor(s).