FEDMA_LogoFinal-01FEDMA_LogoFinal-01FEDMA_LogoFinal-01FEDMA_LogoFinal-01
  • Home
  • About us
    • Our Principles
    • National Association Members
    • Corporate Members
    • Governance & team
  • Latest News
  • Policy Area
    • Position Papers
    • Consumer Protection
    • Data Transfers
    • Digital Economy
    • Privacy & Data Protection
  • FASt
  • Projects
    • Ethical AI-Powered Marketing Charter
    • AI Policy
    • Education – PEEAC
    • Educational Hub
    • Sustainability Best Practices Guide
    • Legal Fact pack
    • Code of Practice for the Use of Personal Data
  • Contact
Subscribe
✕

GDPR: A tour of the self-regulation landscape

22 November 2018

The GDPR provides for the adoption of codes of conduct (‘codes’) and the accreditation of certifications in order to help data controllers and data processors prove that they are in compliance with the GDPR and with best practices. This will affect us, too. Starting in January 2019, it will be up to BAM to seek out the right path for the sector, step by step. One thing is certain: if we don’t face up to the issue, we will have to face up to the authorities instead.

Associations and representative bodies can draw up codes for approval by a data protection supervisory authority or, if the processing takes place in several Member States, by the European Data Protection Board, the EDPB. The European Commission can then declare that the codes recommended by the EDPB are generally applicable within the EU. Our parent association, FEDMA (www.fedma.org), is undertaking this task for our sector.

These codes are intended to offer guidance in certain key areas such as legitimate interest, exercise of the data subject’s rights, protection of minors, ensuring privacy by default, security measures to be taken, notification of security breaches and dispute resolution between data controllers and data subjects, to name but a few.

Adherence to these codes will help the data controller and the data processor demonstrate that they are in compliance with their obligations under the GDPR. This will be monitored by accredited and duly qualified bodies. Each code must provide for sanctions to be imposed on any stakeholders acting in breach of the code, including their suspension or exclusion from the code. The body must inform the authorities about actions taken and the grounds for those actions.

These codes will facilitate international transfers of personal data, and respect of such codes could demonstrate to the authorities that importers of data (both data controllers and data processors) located outside of the EU/EEA have put in place the necessary safeguards in order to allow transfers. It is therefore a simpler mechanism for managing these international data transfers, and provides an excellent alternative to existing legal mechanisms such as standard contractual clauses and binding corporate rules (BCR).

The EDPB can set out criteria for harmonised certification: the European privacy seal. Certification is voluntary, and can also be provided by a local data protection supervisory authority. The EDPB will then approve the criteria for certification. Once certified, controllers and processors will be able to demonstrate that they are in compliance with respect to the implementation of technical and organisational measures. They will also be able to demonstrate that importers of data (controllers and processors) located outside of the EU/EEA have put in place the necessary safeguards to protect the exported personal data.

Adherence to the codes will only be monitored by bodies approved by the competent data protection supervisory authority (at national or European level). In order to obtain accreditation, bodies will have to prove their independence and expertise, and must have established procedures for evaluating adherence to the code by controllers and processors. They will also have to be capable of handling complaints.

In conclusion, participation in a code of conduct will offer numerous advantages:  the codes will contribute to the proper application of the GDPR and increased legal certainty for businesses. It goes without saying that the competent data protection supervisory authority will take into account the fact that a company with which it is dealing is a member of a code of conduct. This demonstrates the company’s good faith and willingness to comply with the GDPR. As a result, any financial penalties the supervisory authority may impose on the company in question will certainly be diminished in the event that it does breach the rules. The codes will therefore allow any company involved in the processing of personal data to more easily demonstrate their compliance with the GDPR. Moreover, they will make it easier to transfer personal data within the European Union.

by Ivan Vandermeersch

Secretary General BAM ( www.marketing.be )

Share

RECENT NEWS

  • Announcement: Karine Ysebrant de Lendonck & Nathalie Laneret nominated as Co-Chairs of FEDMA AI Working Group12 June 2025
  • FEDMA Signs Joint Industry Statement Urging Evidence-Based Approach to Digital Fairness Act4 June 2025
  • GDPR record-keeping simplification: what difference will it really make?21 May 2025
  • Marketing, AI, and Ethics: BAM’s Perspective with Karine Ysebrant12 May 2025

© Fedma 2024

Made with ❤️ by MFM Digital

Contact us

rue de la Loi, 155
BE-1040 Brussels, Belgium

+32 2 779 4268

info@fedma.org

Follow us

Support

Privacy Policy

Terms and Conditions

Intranet

Subscribe
Subscribe Become a member Intranet

Follow us

Support

Terms and conditionsPrivacy PolicyIntranet –

Become a member now

To discuss FEDMA Membership, please contact rdewouters@fedma.org or book an introductory call via Microsoft Bookings.

SEND EMAIL INTRODUCTORY CALL

Never see this message again.

DO NOT MISS OUR NEWS

Subscribe to our Newsletter