EDPB Guidelines on Codes of Conduct as Transfer Tools

On 22 February 2022, the European Data Protection Board (EDPB) adopted Guidelines 04/2021 on Codes of Conduct as tools for transfers (the “Guidelines”), after a public consultation on an earlier draft published in 2021. These Guidelines provide useful guidance on what ‘codes of conduct’ as a transfer mechanism for international data transfers under Article 46 of the GDPR should address and on the adoption process. 

Some organisations or, in particular, trade associations may consider codes of conduct in connection with pursuing the most cost-effective mechanism for facilitating transfers of personal data outside the EEA in compliance with the requirements of the GDPR. However, unfortunately for anyone who may be seeking a way to avoid Schrems II headaches, codes of conduct will be subject to same requirements regarding assessments of third countries’ laws and the potential need for supplementary measures as apply to reliance on Standard Contractual Clauses or Binding Corporate Rules.

Under Chapter V of the GDPR, personal data may not be transferred to a third country (i.e. a country outside of the EEA) or an international organisation unless:

  1. Adequacy Decision – An adequacy decision has been made by the European Commission in respect of that third country or international organisation. Adequacy decisions have been made for a limited number of countries, such as the UK, Canada for commercial organisations, Israel, Japan and Switzerland;
  2. Appropriate Safeguards – There are appropriate safeguards in place for the transfer for the purposes of Article 46 GDPR. While there are a number of ways of achieving this under Article 46, the most commonly used methods are to have Standard Contractual Clauses or Binding Corporate Rules in place; or
  3. Derogations - One of the limited derogations under Article 49 GDPR can be relied upon for the transfer.

Approved codes of conduct are one of the ways in which ‘appropriate safeguards’ recognised under Article 46 GDPR may be implemented to facilitate the transfer of personal data outside of the EEA. At a time when there is much discussion on international data transfers, particularly in respect of Standard Contractual Clauses and a possible new Trans-Atlantic Data Privacy Framework (or Privacy Shield 2.0), these Guidelines are a welcome addition for considering another transfer mechanism in the form of ‘codes of conduct’.

Codes of conduct can be used as a tool for framing transfers outside the EEA for a particular sector or group.  In this regard,  codes of conduct may be drawn up on a sectoral or other group-wide basis with associations and other bodies representing categories of controllers or processors who have common interests or processing activities (e.g., cloud service providers or the insurance sector) and the code could address transfers of personal data to third countries or international organisations. In order for a code of conduct to be ‘an appropriate safeguard’ for the purposes of Article 46 GDPR, it must be approved by a competent Supervisory Authority within the EU. If it relates to processing activities in more than one Member State, it must also be approved by the European Data Protection Board and granted general validity within the EU by the European Commission adopting an implementing act. Once a code of conduct is appropriately approved, adherence to it by a data importer in a third country can then be relied upon by controllers and processors that are subject to the GDPR (i.e. data exporters) for the purposes of complying with their transfer obligations under Chapter V.

The Guidelines are instructive as to what a code should address.  The Guidelines note that a code of conduct for transfers should address: (i) essential principles, risks and obligations arising under the GDPR for controllers/processors; and (ii) guarantees that are specific to the context of transfers (such as with respect to the issue of onward transfers, conflict of laws in the third country). The Guidelines also contain a useful checklist of elements to be included in a code intended for transfers so that it can be considered as providing ‘appropriate safeguards’. The checklist lists the following elements to be covered by the code:

  1. A description of the transfer to be covered by the code (e.g. nature of data transferred, categories of data subjects and countries concerned).
  2. A description of the data protection principles to be complied with under the code (e.g. transparency, fairness, lawfulness, purpose limitation, damage minimisation and storage of data etc.), including rules on the use of processors and sub-processors and rules on onward transfers.
  3. Accountability principle measures to be taken under the code.
  4. The establishment of an appropriate governance structure through data protection officers or other privacy staff in charge of compliance with data protection obligations resulting from the code.
  5. The existence of a suitable training program on the obligations arising from the code.
  6. Audit provisions or other internal program for monitoring compliance with the code.
  7. Transparency measures, including easy access, regarding the use of the code in particular with respect to third party beneficiary rights.
  8. The provision of data subject rights.
  9. The creation of third-party beneficiary rights for data subjects to enforce the rules of the code as third-party beneficiaries (as well as the possibility to lodge a complaint before the competent Supervisory Authority and before EEA Courts).
  10. A complaint handling process.
  11. A warranty that at the time of adhering to the code, the third country controller/processor has no reason to believe that the laws applicable in the third country to the processing prevent it from fulfilling its obligations under the code and to implement supplementary measures, if required.
  12. A mechanism for dealing with changes to the code.
  13. The consequences of a member withdrawing from the code.
  14. A commitment for the code member and monitoring body to cooperate with EEA Supervisory Authorities.
  15. A commitment for the code member to accept to be subject to the jurisdiction of EEA Supervisory Authorities in any procedure aimed at ensuring compliance with the code of conduct and EEA Courts.
  16. The criteria of selection of the monitoring body for a code intended for transfers i.e. to demonstrate that the monitoring body has the requisite level of expertise to carry out its role in an effective manner for such a code intended for data transfers.

The Guidelines state that the above is just a minimum set of guarantees which may need to be complemented with additional commitments and measures depending on the particular transfer.  It remains to be seen whether the administrative effort involved in obtaining and maintaining approval of codes of conduct will dissuade organisations and associations from pursuing them as an alternative to the more commonly used transfer mechanisms.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.