Adhering to GDPR Codes of Conduct: A Possible Option for SMEs to GDPR Certification
18 Pages Posted: 21 Jun 2019 Last revised: 1 Oct 2019
Date Written: June 5, 2019
The paper shows that the adherence to a CoC offers to SMEs an interesting option to a certification obtained under Article 42 GDPR. Adhering controllers or processors benefit similar rights to the one attached to certification without having to make the demonstration of conformity with the content of the CoC. Moreover, CoCs offer a set of customized guidelines, approved by a DPA(s) that are accessible for free and designed to facilitate the GDPR implementation. The functional scope possibly covered by CoCs is already wider than the one offered by certification allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. However, using CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails a risk of inconsistencies from a Member State to another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and the European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources and accreditation will require hiring additional specialized profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.
Keywords: Codes of conduct, Certification, GDPR, Accountability, Self-regulation, Co-regulation
Suggested Citation: Suggested Citation