How to Demonstrate Compliance With GDPR Article 41

Monitoring of Approved Codes of Conduct

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

GDPR Article 41 follows on from article 40 (codes of conduct) by stipulating that compliance with a code of conduct needs to be monitored by an appropriate authority, with a suitable area of expertise relating to the business practices and objectives of the organisation.

Organisations should recognise the authority and requisite procedures of monitoring bodies, and seek to comply with them at all times.

GDPR Article 41 Legal Text

EU GDPR Version

Monitoring of Approved Codes of Conduct

  1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
  2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
    • (a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
    • (b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
    • (c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
    • (d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

  3. The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
  4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of CHAPTER VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
  5. The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
  6. This Article shall not apply to processing carried out by public authorities and bodies.

UK GDPR Version

Monitoring of Approved Codes of Conduct

  1. Without prejudice to the tasks and powers of the Commissioner under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code, and is accredited for that purpose by the Commissioner.
  2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
    • (a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the Commissioner;
    • (b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
    • (c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
    • (d) demonstrated to the satisfaction of the Commissioner that its tasks and duties do not result in a conflict of interests.

  3. Without prejudice to the tasks and powers of the Commissioner and the provisions of a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the Commissioner of such actions and the reasons for taking them.
  4. The Commissioner shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
  5. This Article shall not apply to processing carried out by public authorities and bodies.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

GDPR Article 41 discusses the suitability and function of the monitoring body within 5 key areas:

  1. The underlying role that the monitoring body plays.
  2. An appropriate amount of expertise that is required to carry out a monitoring role.
  3. How independent a body is from the organisations that it is set to monitor.
  4. An established set of procedures for monitoring organisations.
  5. How endorsement/accreditation is able to be revoked.

ISO 27701 Clause 5.2.1 (Understanding the Organization and Its Context) and EU GDPR Article 41

In this section we talk about GDPR Articles 41 (1), 41 (2)(a), 41 (2)(b), 41 (2)(c), 41 (2)(d), 41 (3), 41(4), 41 (5), 41 (6)

Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.

The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.

Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.

This includes:

  • Reviewing any prevailing privacy laws, regulations or ‘judicial decisions’.
  • Taking into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures.
  • Any administrative factors, including the day-to-day running of the company.
  • Third party agreements or service contracts that have the potential to impact upon PII and privacy protection.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 41 (1) to 41 (6)ISO 27701 5.2.1None

How ISMS.online Help

Achieve compliance with EU and UK GDPR. Our pre-built environment fits seamlessly into your management system and enables you to describe and demonstrate your approach to protecting your European and UK customer data.

With ISMS.online, you can easily demonstrate a level of privacy protection that goes beyond ‘reasonable’, all in one secure, always-on location.

Find out more by booking a short demo.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

Streamline your workflow with our new Jira integration! Learn more here.