What shall a code of conduct contain?

22 February 2022

The content of a code of conduct is framed by the GDPR and by guidelines adopted by the European Data Protection Board (EDPB) which provides practical explanations and examples.

This content is a courtesy translation of the original publication in French. In the event of any inconsistencies between the French version and this English translation, please note that the French version shall prevail.

Formal requirements of the code of conduct

If an organisation decides to develop a code, it is essential to ensure that it meets the following requirements:

  • the content of the code of conduct addresses the data protection issues of a sector, it can be broader or more focused on a particular type of processing operation;
  • the framework of the code should facilitate its understanding, practical use and effective application of the GDPR by the professionals concerned who are not necessarily data protection experts;
  • the code defines organizational measures, concrete solutions that adherents can apply to comply with the GDPR. Caution: repetition or rewording of the RGPD must be avoided;
  • the code provides guarantees to limit the risks linked to the processing of personal data by the professionals of the sector (good practices in terms of security measures for example);
  • the code of conduct establishes mechanisms for the monitoring of compliance with its provisions by stakeholders who undertake to apply it. These mechanisms concern in particular the designation and the framework of the missions of the body in charge of this control.

Note: where the designation of a monitoring body is not mandatory, the code of conduct must nevertheless provide for the implementation of effective mechanisms for monitoring a code.

Other elements to include

Therefore, the following provisions shall also be developed inside the code:

  • The project must include an introduction presenting the objectives, the scope and the way it would facilitate the effective application of the GDPR’s provisions;
  • The representativeness of the code owner shall be demonstrated and assessed in particular according to the number of companies it represents with regards to the sector, the number of potential code adherent, its expertise in the sector of activity or in the types of processing concerned;
  • The material scope (relevant data processing) and territorial scope (the State or the States in which it will be enforced) of the code must be defined;
  • The national or European scope of the code must be specified: if the European scope is chosen, the code of conduct must provide the elements justifying this qualification and the list of Supervisory authorities concerned by the code of conduct. Note: explanations regarding this point can be found in Appendix 1 of the guidelines on the code of conduct approved by the EDPB;
  • The competent supervisory authority must be designated; the code owner must explain why it has chosen the CNIL as an authority lead. Note: Appendix 2 of the guidelines on the code of conduct approved by the EPDB contains details on this point;
  • The governance of the code of conducts must be explained. The code owner must indicate how the relationship between the adherents, the owner and the supervisory authority will be organised throughout the life of the code of conduct. Therefore, governance of the code can be expressed by indicating the terms and conditions of adherence to the code of conduct, the mechanisms for exiting the code, the process for updating the code’s requirements, the criteria for selecting the monitoring body, etc.;
  • A body in charge of the regular monitoring of the code of conduct’s proper application by the adherents must be designated:
    • Exception: The designation of a monitoring body for a code of conduct regarding the data processing carried out by authorities and public bodies is not mandatory. However, the guidelines advise the deployment of mechanism to monitor the good application of the code of conduct.
  • A summary of the consultation with the sector’s professionals and, if possible, with the data subjects must be provided. This consultation can take the form of an electronic information campaign, an online survey, or a vote in a general assembly;
  • Compliance with national law, especially where specific provisions are applicable, must be ensured by the code of conduct;
  • The language of the code of conduct, must be that of the competent supervisory authority, as such any documents submitted to the CNIL must be in French, however it is permitted that an English version should also be provided, for European projects.