Skip to content

EU EDPB publishes final Guidelines on codes of conduct as tools for international data transfers

On 4 March 2022, the European Data Protection Board (EDPB) published a final version of its Guidelines on Codes of Conduct as tools for transfers of personal data to third countries (Guidelines), adopted during the EDPB plenary session of 22 February 2022. The final Guidelines follow a public consultation that was carried out in July-October 2021.

The Guidelines seek to clarify the application of Article 40(3) GDPR to codes of conduct when used as appropriate safeguards to transfer personal data to third countries and reflect requirements of the CJEU decision in Schrems II. They set out minimum requirements, including an exhaustive checklist of the elements that must be present in a code of conduct for it to be considered as providing appropriate safeguards, and clarify the adoption and approval procedure. Key point to note include the following:

  • The code’s monitoring body must have an establishment in the EEA and comply with additional accreditation requirements (as compared to other codes of conduct under GDPR). 
  • Exporters relying on codes of conduct for international transfers must ensure that importers make binding and enforceable commitments to apply appropriate safeguards when processing data received under the code. 
  • Any contract or other binding instrument should also provide for mechanisms for enforcement of the commitments in case of violations. 

Read the Guidelines on Codes of Conduct as tools for transfers. The press release discussing adoption of the Guidelines is available here.

Related expertise