How to Demonstrate Compliance With GDPR Article 40

Codes of Conduct

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

GDPR Article 40 deals explicitly with the need for organisations to draft a code of conduct – or multiples codes of conduct – that is/are unique to their business, and applicable towards the various roles contained within it.

Supporting codes may involve scenarios such as the use of personal data for marketing purposes, or healthcare purposes.

GDPR Article 40 Legal Text

EU GDPR Version

Codes of Conduct

  1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
  2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
    • (a) fair and transparent processing;
    • (b) the legitimate interests pursued by controllers in specific contexts;
    • (c) the collection of personal data;
    • (d) the pseudonymisation of personal data;
    • (e) the information provided to the public and to data subjects;
    • (f) the exercise of the rights of data subjects;
    • (g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
    • (h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
    • (i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
    • (j) the transfer of personal data to third countries or international organisations; or
    • (k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

  3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
  4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
  5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
  6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
  7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
  8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
  9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
  10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
  11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

UK GDPR Version

Codes of Conduct

  1. The Commisioner shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
  2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
    • (a) fair and transparent processing;
    • (b) the legitimate interests pursued by controllers in specific contexts;
    • (c) the collection of personal data;
    • (d) the pseudonymisation of personal data;
    • (e) the information provided to the public and to data subjects;
    • (f) the exercise of the rights of data subjects;
    • (g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
    • (h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
    • (i) the notification of personal data breaches to the Commissioner and the communication of such personal data breaches to data subjects;
    • (j) the transfer of personal data to third countries or international organisations; or
    • (k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

  3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
  4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the Commissioner.
  5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the Commissioner. The Commissioner shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
  6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, the Commissioner shall register and publish the code.
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Technical Commentary

GDPR Article 40 asks organisations to consider 8 main areas, when implementing codes of conduct:

  1. What is meant by a code of conduct, what they are for, who can draft them.
  2. The specific needs of the organisation that need to be addressed by a code of conduct.
  3. Associations or other industry bodies that deal with codes of conduct applicable towards the organisation.
  4. Who their target audience is.
  5. How codes of conduct are approved by any relevant authorities.
  6. Specific conditions that need to be met, before a code of conduct can be approved (e.g. an opening statement).
  7. How a code of conduct may be published, once it’s been approved.
  8. Whether or not a code of conduct is to be listed on a register of similar codes.

ISO 27701 Clause 5.2.1 (Understanding the Organization and Its Context) and EU GDPR Article 40

In this section we talk about GDPR Articles 40 (1), 40 (10), 40 (11), 40 (2)(a), 40 (2)(b), 40 (2)(c), 40 (2)(d), 40 (2)(e), 40 (2)(f), 40 (2)(g), 40 (2)(h), 40 (2)(i), 40 (2)(j), 40 (2)(k), 40 (3), 40 (4), 40 (5), 40 (6), 40 (7), 40 (8), 40 (9)

The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.

Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.

This includes:

  • Reviewing any prevailing privacy laws, regulations or ‘judicial decisions’.
  • Taking into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures.
  • Any administrative factors, including the day-to-day running of the company.
  • Third party agreements or service contracts that have the potential to impact upon PII and privacy protection.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 40 (1) to 40 (9)ISO 27701 5.2.1None

How ISMS.online Help

By combining our ‘Adopt, Adapt, Add’ implementation strategy with the ISMS.online platform, the effort needed to achieve GDPR compliance is significantly reduced. There are also a number of powerful features that will save you time.

We make data mapping easy. With our pre-configured dynamic Records of Processing Activity tool, you can easily keep track of it all.

Find out more by booking a short demo.

I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

Streamline your workflow with our new Jira integration! Learn more here.