Cross Border Transfer Mechanisms: Codes of Conduct


Codes of Conduct are another mechanism that can be used in transferring Personal data out of the EU to an area that is deemed not have adequate level of protection. In this article, I will explain how they created, complied with and are enforced.

(1) Who Responsible for drawing up codes of conduct
(a)    Governments and regulators can encourage the drawing up of codes of conduct.
(b)    Codes of conduct may be created by trade associations or representative bodies.
(c)    Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99).
(d)    Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB).
(e)     Existing codes can be amended or extended to comply with the requirements under the GDPR.

(2)    Codes of conduct may cover topics such as:
(a)    fair and transparent processing;
       (i)    Processing-means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means. For Example: include collecting, recording, organizing, structuring, storing and erasing of data.
(b)    legitimate interests pursued by controllers in specific contexts;
(c)    the collection of personal data;
(d)    the pseudonymization of personal data;
(e)    the information provided to individuals and the exercise of individuals’ rights;
(f)    the information provided to and the protection of children (including mechanisms for obtaining parental consent);
(g)    technical and organizational measures, including data protection by design and by default and security measures;
(h)    breach notification;
(i)    Cross border data transfers outside the EU; or
(j)    Dispute resolution procedures.

(3)    Duties of Code Members
(a)    Signing up to a code may make controller/processor subject to mandatory monitoring by a body accredited by the supervisory authority.
(b)     Signing up to a code of conduct or certification scheme is not obligatory.
(c)     Failure to comply with the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed.

(4)    Benefits of Codes
(a)    Improve transparency and accountability - enabling individuals to distinguish the organizations that meet the requirements of the law and they can trust with their personal data.
(b)    provide mitigation against enforcement action; and
(c)    improve standards by establishing best practice

(5) Code Enforcement
Under GDPR, Codes require mandatory monitoring of compliance with its provisions by a monitoring body that is accredited by the competent DPA. The monitoring body has the authority to suspend or exclude processor or controller from the code for non-compliance with the code. In addition, they are required to notify the DPA of the processor's or controller's infringement.

Similarly, in the U.S. the Federal Trade Commission (FTC) can bring a enforcement action against a company that self-certifies under the Networking Advertising Alliance (NAI) code but fails to comply, pursuant to its authority under Section 5 of the FTC Act.

Another benefit of codes of conduct, is that they can demonstrate compliance with security risks associated with data processing.

Comments

Post a Comment

all comments to this blog are moderated

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Image
Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o
Read more

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

  By Victorianne Musonza #privacy-by-design #digitaladvertising #dataprivacy #CCPA #GDPR In the ever-evolving world of digital advertising, user consent, and data privacy should be an afterthought but rather something that is built into the design. As companies strive to engage consumers effectively, it is important to address these issues and implement robust mitigation strategies, all while embracing the concept of privacy by design. User consent is a major focus for data privacy in digital advertising. Consumers must have clear, transparent information about how their data is collected, used, and shared. By obtaining explicit consent, companies can establish trust and ensure that users are aware of the purpose and extent of data processing. This consent should be easily accessible, providing users with options to manage their preferences and exercise control over their personal information. However, obtaining mere consent is not enough; organizations must prioritize data privacy mit
Read more

Cross Border Transfer Mechanism: Model Clauses

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered and tailored.
Read more