Adhering to GDPR Codes of Conduct: A Possible Option for SMEs to GDPR Certification

18 Pages Posted: 21 Jun 2019 Last revised: 1 Oct 2019

See all articles by Eric Lachaud

Eric Lachaud

Tilburg University - LTMS, home of Tilt and Tilec

Date Written: June 5, 2019


The paper shows that the adherence to a CoC offers to SMEs an interesting option to a certification obtained under Article 42 GDPR. Adhering controllers or processors benefit similar rights to the one attached to certification without having to make the demonstration of conformity with the content of the CoC. Moreover, CoCs offer a set of customized guidelines, approved by a DPA(s) that are accessible for free and designed to facilitate the GDPR implementation. The functional scope possibly covered by CoCs is already wider than the one offered by certification allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. However, using CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails a risk of inconsistencies from a Member State to another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and the European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources and accreditation will require hiring additional specialized profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.

Keywords: Codes of conduct, Certification, GDPR, Accountability, Self-regulation, Co-regulation

Suggested Citation

Lachaud, Eric, Adhering to GDPR Codes of Conduct: A Possible Option for SMEs to GDPR Certification (June 5, 2019). Tilburg Law School Research Paper Forthcoming, Available at SSRN: or

Eric Lachaud (Contact Author)

Tilburg University - LTMS, home of Tilt and Tilec ( email )


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics