Transfer to a third country
Codes of conduct according to GDPR
It may be permitted to transfer personal data to a third country, i.e. a country outside the EU/EEA area, if the recipient of the personal data has adhered to an approved code of conduct. The same applies to approved certifications. Please note that it must entail obligations that are enforceable. In addition, the obligations must be legally binding in order to lead to an authorised transfer. This also applies where the recipient of the personal data has subscribed to approved codes of conduct or certification mechanisms.
Guidelines of the European Data Protection Board
The European Data Protection Board (EDPB) has developed guidelines for when companies transfer personal data to a third country and the recipient has joined an approved one:
- Code of Conduct: Guidelines 04/2021 on Codes of Conduct as tools for transfers
- Certification mechanism: Guidelines 07/2022 on certification as a tool for transfers
The guidelines contain, among other things, information on how the process is to get codes of conduct approved and details of what it entails, guidance, etc.
Below we explain what a code of conduct means under the GDPR.
Codes of conduct under GDPR as an additional safeguard
Different industries may have specific instructions on how to apply and comply with the GDPR, also known as the General Data Protection Regulation. A code of conduct can thus be equated with a type of rulebook, which is to be applied voluntarily in a particular sector or industry. In this way, companies that join it can get practical instructions on how to comply with GDPR in practice. Both controllers and processors can adhere to a code of conduct.
It is not a data protection authority or the European Data Protection Boar (EDPB) that creates codes of conduct. Instead, it is common for associations representing a particular industry to do this, and they create the code of conduct. The use of the code of conduct benefits both smaller and larger companies. In some cases, the code of conduct is international and in other cases national.
Prerequisites for a code of conduct
The organisation creating the code of conduct must have an appropriate legal status. In addition, the draft of the code of conduct must consist of binding and concrete rules on the application of the GDPR in practice. These are the basic prerequisites for a code of conduct under the GDPR.
Code of conduct must be approved by a data protection authority
Before a developed code of conduct can begin to be applied, it must first be approved by a data protection authority. In order to be approved, the data protection authority must decide that the code of conduct contributes to the effective and correct processing of personal data and the application of the other rules of the GDPR. Below you can read more about the process for applying for approval of a code of conduct.
Application for code of conduct
The first step relates to the assessment of the eligibility of the organisation applying for the code of conduct. It must be an actor, association or other body representing categories of controllers and/or processors. A basic prerequisite is that the applicant for the code of conduct must have an appropriate legal status in relation to the actors to whom the code of conduct is intended to apply.
In the second step, the data protection authority assesses the draft code of conduct. In particular, they look at whether the draft meets the conditions set out in the EDPB’s instructions. If the conditions are met, the applicant is informed of this and the next step in the process can be started. If the conditions are not met, the applicant will also be informed of this and the reasons for the decision.
In the third phase, the code of conduct will be evaluated by the data protection authority. They examine whether it meets the requirements to be approved according to instructions from the EDPB. The applicant for the code of conduct will then be informed of the outcome of the data protection authority’s decision at this stage.
Revision of the draft code of conduct
If the data protection authority does not give its consent, the applicant is given the opportunity to revise its draft based on the comments of the data protection authority. They can then submit an updated draft for a re-examination for approval.
Registration and publication of an approved code of conduct
If the data protection authority approves a code of conduct after the completion and completion of the application process, it will be registered in the register of the data protection authority and published publicly on their website. In addition, the approved code of conduct is submitted to the EDPB for publication by them as well.
Amendments to an approved code of conduct
In the case of major changes to an already approved code of conduct, an application for approval of the changes must be submitted to the data protection authority. An example of a substantial change is the addition of new provisions to the code of conduct. Any such substantial changes must first be approved by the data protection authority in order to take effect.
However, it is possible to make minor changes, without the need for such prior approval. A prerequisite is that the minor changes do not have an impact on the application of the code of conduct.
More information about transfers to a third country
Certification and certification mechanisms
A certification is a tool that can be used to contribute to a strong data protection. Certification and certification mechanisms are a type of additional safeguard under the GDPR. There are some specific criteria for an operator to be certified. Once an actor is certified, the actor receives a European data protection seal. A certificate means that the processing of personal data meets the criteria of a certification scheme. To be certified and obtain a certificate, an application for certification must be submitted to an accredited and independent certification body.