EDPB issues draft Guidelines on codes of conduct for data transfers


The European Data Protection Board (EDPB) issued its draft Guidelines 04/2021 on the codes of conduct to be used as a tool for facilitating data transfers. These guidelines are the second in a series that provide details and practical information on the provisions of the GDPR regarding codes of conduct. (The first guidance, Guidelines 1/2019 on conduct and Monitoring Bodies under Regulation 2016/679, established the general framework for the adoption of codes of conduct).

Codes of conduct as monitored self-assessment tools

The GDPR requires that data controllers and processors put in place appropriate safeguards when transferring personal data to a third country outside the EEA. One of the tools introduced by the GDPR are approved codes of conduct that could be used as an alternative for other third country transfer mechanisms such as a model SCC, inpidually negotiated SCC or BCR.

Using a code of conduct to frame third country transfers provides a high level of trust since in order to be used, the code must pass an evaluation procedure by data protection authorities. In addition, rather than being a form of self-proclaimed compliance, adherence to the codes are monitored and enforced by an independent monitoring body. These measures give codes of conduct greater credibility than other self-regulatory mechanisms.

Contents of codes of conduct

In order to provide appropriate safeguards, codes of conduct must address essential principles, rights and obligations as set down in the GDPR; and guarantees that are specific to the context of the data transfers, which the code of conduct is intended to frame. The elements to be covered by a code of conduct intended for transfers should include minimum guarantees listed in the draft Guidelines. These include general items (e.g. a description of the data processing and the data involved), items specific to data transfers (e.g. third party beneficiary clauses, remedies for the data subject, liability for data breaches in the third country, a warranty by the data importer that there are no conflicting local laws, audit rights, etc.) and items related to the code of conduct (e.g. mechanisms for change in the code or consequences of non-compliance and consequences of withdrawal).

Benefits of codes of conduct

The main benefits of relying on codes of conduct is that the codes could be tailored for specific industry sectors (e.g. banking and finance, insurance) for specific data processing activities, such as HR and children’s data, in order to best fit the needs of the actors that the codes are intended for.

Groups of undertakings involved in data processing activities in similar fields could come together and collectively develop a set of rules in form of a code. This form of co-regulation would ease the burden on smaller companies to carry out their own comprehensive data protection analysis since they could choose to adhere to existing codes fitting their needs.

The guidelines are open for public consultation until 1 October 2021, and are available here.

For more information on these Guidelines and EU regulations on data transfers, contact your CMS client partner or local CMS experts.

The article is co-authored by Anna Horváth.