First codes of conduct have already been approved in the EU. Lately, the Spanish body has accepted another draft of the code. However, President of the Personal Data Protection Office cannot joint this company, because… he awaits approval of the Polish requirements for performing accreditation of an entity monitoring the codes by the European Data Protection Board. This is to happen in December. Provided that the opinion is positive, the writers of the codes will have no further doubts as to the rules of monitoring, and entities interested in conducting such monitoring will be allowed to submit requests for accreditation to the Personal Data Protection Office. Awaiting these decisions a current status of works conducted on the codes in Poland and other selected EU countries has been presented hereinbelow.
Code in GDPR and GDPR in code
In accordance with art. 40 of GDPR, associations and other bodies representing specified categories of controllers or processors are encouraged to prepare codes of conduct intended to contribute to the proper application of GDPR – taking into account specific features of various sectors and the specific needs of micro, small and medium-sized enterprises.
The scope of such codes can vary to a great extent, ranging from selected aspects concerning the processing to the entirety of processes that a given controller may face. Clarifying application of GDPR, in particular they can include such aspects as reliability and transparency of processing, realization of legitimate interests, personal data collecting, rights of data subjects, or measures ensuring the data security.
The draft code is submitted to a supervisory body that issues its opinion and approves the draft if it finds it useful. Once the code is approved, the body registers and publishes the code.
Codes in individual countries of the EU
Tens of dozens of codes have been submitted to the supervisory bodies within the European Union, with Norway being the absolute leader in this ranking – 19 drafts.
Poland, submitting eight drafts to the President of the Personal Data Protection Office, is on the second position. The draft codes concern the following areas: market research and opinions taking, medical industry (2 codes), banks, housing cooperatives, tax, libraries and shopping centres. In the background, there are works carried out concerning another codes dedicated, e.g. to the processing of personal data in electronic advertising, marketing, recruitment, hotel, photography industries and educational units.
Each supervisory body in Belgium, Sweden, Latvia, and Slovakia received 6 drafts of codes. In Sweden they concern public transportation (draft withdrawn), photographic industry, sport, road transportation, payroll consulting, and protection of persons and property (draft has not been adopted). Draft codes of Latvia concern insurance (and brokers), banking and finances, personnel management, and IT.
A local body in Berlin received two drafts of codes concerning market and social researches and debt collection. Slovenia has one code concerning retail sales.
In other countries that sent replies to us no drafts of codes were submitted (which is especially surprising in regards to Great Britain and Ireland).
A small number of approved codes can also be surprising. The reason for this can be relatively long works carried out by the European Data Protection Board on guidelines for codes of conduct and monitoring entities that only were adopted in June of 2019. It is also necessary to take into account the need of formulating local guidelines in this respect by individual supervisory bodies (EDPB is to accept Polish requirements concerning giving accreditation for an entity monitoring compliance with the codes).
The first three codes that were approved concern advertisement (Spain), IT (the Netherlands), and the Bar (Slovakia). We hope that issuance of guidelines referred to hereinabove will be a breakthrough for adopting codes by the remaining supervisory bodies.
The codes take along huge benefits, i.a. such as:
- the codes of conduct can be used to present compliance with obligations to provide security of processing;
- their observance is also considered when carrying out assessment of effects for the data protection;
- in the context of the data transfer outside EU, appropriate safeguards necessary for data transfer to a third country can be provided without acquiring any special permission from the supervisory body with the use of, i.a. an approved code, together with binding and enforceable obligations of the controller or processor in the third country to apply adequate safeguards, including the rights of data subjects (this concerns countries for which the European Commission has not issued a special decision recognizing them as safe areas).
As seen by the Polish body
It arises from information provided by the Personal Data Protection Office that representatives of a number of industries expressed their initial interest in drawing codes of conduct. However, they used to resign from presenting the draft codes or extended conceptual works once they were explained detail expectations by the Office. In particular, this concerns creation of a higher standard of data protection that is compatible with capabilities of the market participants.
In the opinion of the President of the Personal Data Protection Office, entities that comply with the code of conduct receive a number of benefits and it is recommended to create codes of conduct in all sectors where personal data is processed, e.g. in particular in the broadly understood health protection, educational sectors, and even, e.g. financial industry or web portals management industry. “President of the Personal Data Protection Office is tremendously satisfied with the fact that entities having interest undertake so many initiatives that develop codes of conduct for individual sectors. The supervisor body assesses that developers of the draft codes put a considerable amount of work and presented their involvement in the development of the contents of the codes”.
However, it was indicated that the drafts of codes of conduct that were submitted for approval to the supervisory body differ from each other both when it comes to, e.g. applied methodology, extensiveness of regulations and specificity of solutions proposed by the draft code developers. A part of the submitted draft codes reveal that the codes developers have great understanding of the rules of developing and approving codes of conduct and that they are committed to ensure transparency of solutions that can be helpful for entities that will use a give code of conduct in the future. The contents analysis of some drafts of codes indicates that the solutions proposed therein regulate individual issues concerning personal data protection in a given sector only cursorily or are a thoughtless repetition of the GDPR provisions.
President of the Personal Data Protection Office conducts approval procedures for the codes of conduct that are in their final phase, at present. The first code of conduct developed based on the GDPR provisions can be approved even this year.
Previous experience of the President of the Personal Data Protection Office in conducting approval procedures for the codes of conduct shows that some developers of the drafts of codes submitted for approval drafts that contained carte blanche regulations, i.e. that were not intended to specify the personal data protection regulations and were not useful for ensuring transparency and reliability of personal data processing. Developers of the drafts of codes had also problems with adjusting them to the requirements resulting from the EDPB guidelines, including, i.a. preparation of adequate mechanisms for monitoring the code. It can also be seen that the developers had problems with proper balancing and accommodating within a given code the needs of a given sector, interests of controllers and data subjects.
The number of codes of conduct submitted to the bodies varies and ranges from none to almost twenty. Poland has a high position on this list, which produces great interest in that institution. At present, there are works carried out concerning not only the eight codes that were submitted for approval, but also several from various industries that are just in the process of taking their final shape.
Pending their approval and publication it is worth to have a closer look on codes that have already functioned in other countries. This will allow to compare interpretations and good practices that are part of those documents.
One can perceive enormous potential and possibilities in the support of controllers in this difficult period of time. We will keep track on their further development, in particular development on the research industry code, which is of our authorship.
dr Michał Czarnecki