The European Data Protection Board, met on 4th June for their eleventh plenary session. A number of Codes and Guidelines were adopted as below, though the final texts of these have not yet been made public while ‘necessary legal, linguistic and formatting checks’ are undertaken’.
Guidelines on Codes of Conduct
A final version of the Guidelines on Codes of Conduct was adopted. Following public consultation, points of clarification were included in the text. The aim of the guidelines is to provide practical guidance on, and assistance interpreting, the application of Articles 40 and 41 of the GDPR. The guidelines intend to help clarify the procedures and the rules involved in the submission, approval and publication of codes of conduct at both national and European level. A further aim of the guidelines is to act as a clear framework for all competent supervisory authorities, the Board and the European Commission to evaluate codes of conduct in a consistent manner and to streamline the procedures involved in the assessment process.
Annex to the Guidelines on Accreditation
A final version of the annex to the Guidelines on Accreditation was adopted following public consultation. The text has been reviewed to enhance clarity. The aim of the guidelines is to provide guidance on how to interpret and implement the provisions of Article 43 of the GDPR. In particular, they aim to help member states, supervisory authorities and national accreditation bodies establish a consistent and harmonised baseline for the accreditation of certification bodies that issue certification in accordance with the GDPR. The annex provides guidance on the additional requirements for the accreditation of certification bodies to be established by the supervisory authorities. These additional requirements, before being adopted by supervisory authorities, are to be submitted to the European Data Protection Board for approval under Article 64(1)(c).
Annex to the Guidelines on Certification
A final version of annex 2 to the Guidelines on Certification was adopted. Following a public consultation, some aspects were added to certain sections, for example, whether the criteria address the obligation of the controller/processor to appoint a data protection officer and the obligation to keep records of the processing activities. The primary aim of the guidelines is to identify overarching criteria which may be relevant to all types of certification mechanisms issued in accordance with Articles 42 and 43 of the GDPR. The annex identifies topics that data protection supervisory authorities and the EDPB will consider and apply for the approval of certification criteria for a certification mechanism. The list is not exhaustive, but presents the minimum topics to be considered.
UPDATE – 18.06.2019: The texts of the documents are now available here.