EU EDPB publishes final Guidelines on codes of conduct as tools for international data transfers
Author
Browse this blog post
Related news and insights
Blog Post: 25 May 2023
EU General Court annuls EDPS decision and examines when personal data can be considered anonymised
Publications: 25 May 2023
Happy birthday, GDPR – five lessons from five years of EU data protection law
Blog Post: 24 May 2023
Compensation claims under the GDPR unpicking the latest EU and English case law and looking ahead
Blog Post: 17 May 2023
European Parliament committees adopt their vision on the AI Act proposal
The Guidelines seek to clarify the application of Article 40(3) GDPR to codes of conduct when used as appropriate safeguards to transfer personal data to third countries and reflect requirements of the CJEU decision in Schrems II. They set out minimum requirements, including an exhaustive checklist of the elements that must be present in a code of conduct for it to be considered as providing appropriate safeguards, and clarify the adoption and approval procedure. Key point to note include the following:
- The code’s monitoring body must have an establishment in the EEA and comply with additional accreditation requirements (as compared to other codes of conduct under GDPR).
- Exporters relying on codes of conduct for international transfers must ensure that importers make binding and enforceable commitments to apply appropriate safeguards when processing data received under the code.
- Any contract or other binding instrument should also provide for mechanisms for enforcement of the commitments in case of violations.
Read the Guidelines on Codes of Conduct as tools for transfers. The press release discussing adoption of the Guidelines is available here.