EU EDPB publishes final Guidelines on codes of conduct as tools for international data transfers
Browse this blog post
Related news and insights
Blog Post: 25 May 2023
Publications: 25 May 2023
Blog Post: 24 May 2023
Blog Post: 17 May 2023
The Guidelines seek to clarify the application of Article 40(3) GDPR to codes of conduct when used as appropriate safeguards to transfer personal data to third countries and reflect requirements of the CJEU decision in Schrems II. They set out minimum requirements, including an exhaustive checklist of the elements that must be present in a code of conduct for it to be considered as providing appropriate safeguards, and clarify the adoption and approval procedure. Key point to note include the following:
- The code’s monitoring body must have an establishment in the EEA and comply with additional accreditation requirements (as compared to other codes of conduct under GDPR).
- Exporters relying on codes of conduct for international transfers must ensure that importers make binding and enforceable commitments to apply appropriate safeguards when processing data received under the code.
- Any contract or other binding instrument should also provide for mechanisms for enforcement of the commitments in case of violations.
Read the Guidelines on Codes of Conduct as tools for transfers. The press release discussing adoption of the Guidelines is available here.