GDPR: A tour of the self-regulation landscape

The GDPR provides for the adoption of codes of conduct (‘codes’) and the accreditation of certifications in order to help data controllers and data processors prove that they are in compliance with the GDPR and with best practices. This will affect us, too. Starting in January 2019, it will be up to BAM to seek out the right path for the sector, step by step. One thing is certain: if we don’t face up to the issue, we will have to face up to the authorities instead.

Associations and representative bodies can draw up codes for approval by a data protection supervisory authority or, if the processing takes place in several Member States, by the European Data Protection Board, the EDPB. The European Commission can then declare that the codes recommended by the EDPB are generally applicable within the EU. Our parent association, FEDMA (, is undertaking this task for our sector.

These codes are intended to offer guidance in certain key areas such as legitimate interest, exercise of the data subject’s rights, protection of minors, ensuring privacy by default, security measures to be taken, notification of security breaches and dispute resolution between data controllers and data subjects, to name but a few.

Adherence to these codes will help the data controller and the data processor demonstrate that they are in compliance with their obligations under the GDPR. This will be monitored by accredited and duly qualified bodies. Each code must provide for sanctions to be imposed on any stakeholders acting in breach of the code, including their suspension or exclusion from the code. The body must inform the authorities about actions taken and the grounds for those actions.

These codes will facilitate international transfers of personal data, and respect of such codes could demonstrate to the authorities that importers of data (both data controllers and data processors) located outside of the EU/EEA have put in place the necessary safeguards in order to allow transfers. It is therefore a simpler mechanism for managing these international data transfers, and provides an excellent alternative to existing legal mechanisms such as standard contractual clauses and binding corporate rules (BCR).

The EDPB can set out criteria for harmonised certification: the European privacy seal. Certification is voluntary, and can also be provided by a local data protection supervisory authority. The EDPB will then approve the criteria for certification. Once certified, controllers and processors will be able to demonstrate that they are in compliance with respect to the implementation of technical and organisational measures. They will also be able to demonstrate that importers of data (controllers and processors) located outside of the EU/EEA have put in place the necessary safeguards to protect the exported personal data.

Adherence to the codes will only be monitored by bodies approved by the competent data protection supervisory authority (at national or European level). In order to obtain accreditation, bodies will have to prove their independence and expertise, and must have established procedures for evaluating adherence to the code by controllers and processors. They will also have to be capable of handling complaints.

In conclusion, participation in a code of conduct will offer numerous advantages:  the codes will contribute to the proper application of the GDPR and increased legal certainty for businesses. It goes without saying that the competent data protection supervisory authority will take into account the fact that a company with which it is dealing is a member of a code of conduct. This demonstrates the company’s good faith and willingness to comply with the GDPR. As a result, any financial penalties the supervisory authority may impose on the company in question will certainly be diminished in the event that it does breach the rules. The codes will therefore allow any company involved in the processing of personal data to more easily demonstrate their compliance with the GDPR. Moreover, they will make it easier to transfer personal data within the European Union.

by Ivan Vandermeersch

Secretary General BAM ( )