Cross Border Transfer Mechanisms: Codes of Conduct
Codes of Conduct are another mechanism that can be used in transferring Personal data out of the EU to an area that is deemed not have adequate level of protection. In this article, I will explain how they created, complied with and are enforced.
(1) Who Responsible for drawing up codes of conduct
(a) Governments and regulators can encourage the drawing up of codes of conduct.
(b) Codes of conduct may be created by trade associations or representative bodies.
(c) Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99).
(d) Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB).
(e) Existing codes can be amended or extended to comply with the requirements under the GDPR.
(2) Codes of conduct may cover topics such as:
(a) fair and transparent processing;
(i) Processing-means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means. For Example: include collecting, recording, organizing, structuring, storing and erasing of data.
(b) legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymization of personal data;
(e) the information provided to individuals and the exercise of individuals’ rights;
(f) the information provided to and the protection of children (including mechanisms for obtaining parental consent);
(g) technical and organizational measures, including data protection by design and by default and security measures;
(h) breach notification;
(i) Cross border data transfers outside the EU; or
(j) Dispute resolution procedures.
(3) Duties of Code Members
(a) Signing up to a code may make controller/processor subject to mandatory monitoring by a body accredited by the supervisory authority.
(b) Signing up to a code of conduct or certification scheme is not obligatory.
(c) Failure to comply with the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed.
(4) Benefits of Codes
(a) Improve transparency and accountability - enabling individuals to distinguish the organizations that meet the requirements of the law and they can trust with their personal data.
(b) provide mitigation against enforcement action; and
(c) improve standards by establishing best practice
(5) Code Enforcement
Under GDPR, Codes require mandatory monitoring of compliance with its provisions by a monitoring body that is accredited by the competent DPA. The monitoring body has the authority to suspend or exclude processor or controller from the code for non-compliance with the code. In addition, they are required to notify the DPA of the processor's or controller's infringement.
Similarly, in the U.S. the Federal Trade Commission (FTC) can bring a enforcement action against a company that self-certifies under the Networking Advertising Alliance (NAI) code but fails to comply, pursuant to its authority under Section 5 of the FTC Act.
Another benefit of codes of conduct, is that they can demonstrate compliance with security risks associated with data processing.
Comments
Post a Comment
all comments to this blog are moderated