How to get a code of conduct approved?
The drafts for national codes are examined and approved by the CNIL, whereas the draft for European codes are submitted to the European Data Protection Board (EDPB) for its opinion.
This content is a courtesy translation of the original publication in French. In the event of any inconsistencies between the French version and this English translation, please note that the French version shall prevail.
How does the CNIL assist you?
The CNIL’s departments assist you, within the framework of a request for advice, during the upstream construction phase of your draft code of conduct.
Since the code owner is the pen of the code of conduct and the elaboration of this tool requires several months of drafting, this upstream support phase is essential in order to ensure that the structure and scope of the code of conduct are well defined in accordance with the GDPR’s provisions and the guidelines approved by the EDPB.
For example, you can submit us a draft of code if:
- You have developed a governance structure but you want to ensure that it meets the requirements of the guidelines.
- You want to submit the first practice sheets of your code.
The compliance tools department is at your side for any questions relating to the procedure or methodology applicable to the code of conduct, contact the CNIL’s compliance tools department. At the end of this support phase, you can submit your draft code (in French) to the CNIL via a dedicated teleservice on our website.
How to get a national code of conduct approved?
Once you have submitted your application to the CNIL via the teleservice, you will receive an acknowledgment of receipt if, after an initial analysis, your file is complete. The four-month period starts as soon as the acknowledgement of receipt is sent.
Then, the CNIL’s departments will analyse your draft and will discuss with the code owner until the requirements are met.
Finally, the CNIL will approve your draft.
List of approved codes of conducts
How to get a European code of conduct approved?
The instruction period for a European code of conduct draft varies on average from eight to fourteen month. These delays are justified by the scope of the code of conduct and the need to provide the applicant with the maximum legal certainty on a European scale.
This procedure is subject to numerous exchanges between the code owner, the competent supervisory authority (the CNIL) and the other Data Protection Authorities. The purpose of these different stages is to help the applicants build a draft that provides the best legal certainty.
This joint instruction period is divided into three phases:
- Once the CNIL has been notified via the teleservice, the departments will analyse the draft and exchange with the code owner until satisfaction of the requirements.
- The file is afterward addressed to two voluntary supervisory authorities who will analyse the draft and transfer their comments to the CNIL, of which you will be informed.
- The third step consists in the communication of the draft to all of the supervisory authorities concerned by the code of conduct. This phase may also give rise to further comments and/or requests for change to the code of conduct’s draft.
Finally, the CNIL will submit for opinion the draft to the EDPB in accordance with the application of the “consistency mechanisms” provided by the GDPR (article 63).
The EDPB will then submit its opinion to the European Commission which will decide on the general application of the code of conduct within the European Union in accordance with the provisions of the GDPR (article 40.8 and 40.9).
![[Graphic Design] Code of conduct](/sites/cnil/files/thumbnails/image/graphic_design_-_code_of_conduct.jpg "[Graphic Design] Code of conduct")