Regulation (EU) 2016/679 of the European Parliament and of the CouncilShow full title

Section 5U.K.Codes of conduct and certification

Article 40U.K.Codes of conduct

1.[F1The Commissioner] shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2.Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

(a)fair and transparent processing;

(b)the legitimate interests pursued by controllers in specific contexts;

(c)the collection of personal data;

(d)the pseudonymisation of personal data;

(e)the information provided to the public and to data subjects;

(f)the exercise of the rights of data subjects;

(g)the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

(h)the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

(i)the notification of personal data breaches to [F2the Commissioner] and the communication of such personal data breaches to data subjects;

(j)the transfer of personal data to third countries or international organisations; or

(k)out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3.In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article F3... may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4.A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of [F4the Commissioner].

5.Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to [F5the Commissioner, who] shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if [F6the Commissioner finds] that it provides sufficient appropriate safeguards.

6.Where the draft code, or amendment or extension is approved in accordance with paragraph 5, [F7the Commissioner] shall register and publish the code.

F87.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F88.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F89.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F810.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F811.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 41U.K.Monitoring of approved codes of conduct

1.Without prejudice to the tasks and powers of [F9the Commissioner] under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by [F9the Commissioner].

2.A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

(a)demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of [F10the Commissioner];

(b)established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

(c)established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

(d)demonstrated to the satisfaction of [F11the Commissioner] that its tasks and duties do not result in a conflict of interests.

F12 3 .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.Without prejudice to the tasks and powers of [F13the Commissioner] and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform [F13the Commissioner] of such actions and the reasons for taking them.

[X15 .[F14The Commissioner] shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.]

6.This Article shall not apply to processing carried out by public authorities and bodies.

Article 42U.K.Certification

1.[F15The Commissioner] shall encourage F16... the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2.In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

3.The certification shall be voluntary and available via a process that is transparent.

4.A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of [F17the Commissioner].

5.A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by [F18the Commissioner], on the basis of criteria approved by [F19the Commissioner] pursuant to Article 58(3) F20... . Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

6.The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, [F21the Commissioner], with all information and access to its processing activities which are necessary to conduct the certification procedure.

[X17 . Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by [F22the Commissioner] where the criteria for the certification are not or are no longer met.]

8.[F23The Commissioner] shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

Article 43U.K.Certification bodies

1.Without prejudice to the tasks and powers of [F24the Commissioner] under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing [F25the Commissioner] in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. [F26In accordance with section 17 of the 2018 Act, those certification bodies may only be] accredited by one or both of the following:

[F27(a)the Commissioner;]

(b)[F28the UK national accreditation body] named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council(1) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by [F29the Commissioner].

2.Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:

(a)demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of [F30the Commissioner];

(b)undertaken to respect the criteria referred to in Article 42(5) and approved by [F31the Commissioner] which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;

(c)established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;

(d)established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

(e)demonstrated, to the satisfaction of [F32the Commissioner], that their tasks and duties do not result in a conflict of interests.

3.[X1The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by [F33the Commissioner].] In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.

4.The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.

5.The certification bodies referred to in paragraph 1 shall provide [F34the Commissioner] with the reasons for granting or withdrawing the requested certification.

[X16 . The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by [F35the Commissioner] in an easily accessible form. F36... ]

7.Without prejudice to Chapter VIII, [F37the Commissioner or the UK national accreditation body] shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.

F388.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F389.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .