Under Article 46 of the GDPR, Controllers and Processors must implement appropriate safeguards for transfers of personal data to third countries or to international organisations. Where the European Commission has not determined a third country as having adequate protection, there are several mechanisms available to achieve this end. The most utilised of these are Standard Contractual Clauses (SCCs); however, for systematic, routine, or regular transfers they may not always be the best tool.
As such, Article 46 outlines various alternative mechanisms to SCCs, one being a Code of Conduct. The EDPB created this option to enable associations and other bodies representing categories of controllers or processors to prepare (or amend) codes of conduct. These would be approved for use by a supervisory authority with oversight from the EDPB and granted general validity by the European Commission.
Where approved and adhered to, codes of conduct may be used by Controllers or Processors to provide appropriate safeguards for third country transfers, including those not subject to the GDPR where personal data is flowing to and from third countries.
The updated European Data Protection Board (EDPB) guidelines for using the codes of conduct as a tool for transfers are a significant development to enable third country transfers of personal data where an adequacy decision does not exist. The guidance further explored their adoption process, the parties involved along with the guarantees to be provided and requirements to be met by a code of conduct for transfers.
This piece will outline the updated European Data Protection Board (EDPB) guidelines for using the codes of conduct, explore what this means in context and detail the benefits it could provide in facilitating third country transfers.
What are the real benefits of a Code of Conduct?
The principal benefit of Codes of Conduct is their flexibility. They can be prepared by organisations representing categories of controllers/processors. Moreover, they can be prepared by sectoral organisations or organisations operating in separate sectors but having common processing activities which share the same processing characteristics and needs.
Significantly Codes of Conduct differ from Binding Corporate Rules (BCRs) in that Codes of Conduct do not need to be within the same group. This makes them particularly useful to consider as a mechanism for data transfers because the scope is much broader. In real terms much the same effort would be required in drafting and seeking approval as would apply to BCRs.
Key requirements for practical application – Content of a Code of Conduct
One of the aims of the guidelines was to provide practical guidance on the Codes of Conduct. This practical guidance includes the following: They must set out the rules that need to be complied with by the third country controller or processor. Controllers and Processors are required to make binding, enforceable commitments via contractual or legally binding instruments in accordance with EU law. Some of the key clauses required which constitute the minimum guarantees required include:
- Existence of a right for data subjects whose data are transferred under the code of conduct to extend and enforce the rules on Data Subjects
- Liability in the case of breaches.
- Data subjects having the right to bring a case against data importer.
- Existence of rights for data exporters to enforce against the code on data importers as third-party beneficiaries.
- Notification clauses placing obligations on importers to notify the exporter.
- Description of the transfers.
- Transparency
- Accountability
- Governance
- Training
- Data Protection Audit
- Changes to the code
- Withdrawal from the code and consequences
These clauses are not an exhaustive list and controllers need to access the need for additional commitments and measures that may be required for a code of conduct to obtain approval.
Utility for your organisation
The organisation or body preparing the code of conduct is the Code owner, and they must submit the Code of Conduct to the Supervisory Authority (SA) for approval. When the Code of Conduct is approved by a Competent Supervisory Authority and granted general validity by the European Commission, the Code of Conduct may be adhered to and used by Controllers and Processors.
Where an organisation operates in a sector then it should see if others in the sector are involved in preparing a Code of Conduct. It makes sense for organisations making regular data transfers to be involved with other sectoral partners to prepare a Code of Conduct that would benefit sectorial members with common processing activities. Moreover, whilst considerable work may be required to get a Code of Conduct approved and granted general validity, sharing the load across sectors and organisation involved in their preparation should makes it easier. Furthermore, the benefits of having a code of conduct to facilitate transfers should justify the work involved.
What should you do now?
- Explore what third country transfers you are involved in to review compliance with safeguarding requirements
- Explore and engage with sectoral bodies or associations representing your specific sector to understand if there is interest in creating a code of contact where one does not exist or requires amendment if one does.
Conclusion
Many of the mechanisms to facilitate third country transfers have been challenged in the past. However, for third country transfers a legally binding and enforceable instrument with Codes of Conduct are a very good option for Controllers that carry out regular, routine, or systematic third country transfers. When approved the Controller(s) will have comfort in the knowledge that the code of conduct has been approved by the Supervisory Authority, had oversight from the EDPB and been granted general validity by the European Commission.
Given the potential benefits, we expect this approach to third country data transfers to become more utilised in the coming years with increased activity across supervisory authorities in approving them.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience consulting organisations and other entities in advanced data management and compliance as well as advising on complex international data transfers. Trilateral supports experts working within research, businesses, or regulatory bodies to advance knowledge and practice on responsible data practices. For more information, please feel free to contact our advisers, who would be more than happy to help.