Skip to content
Guidance · EDPB ·022023-on-the-draft-decision-of-the-competent EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 02/2023 on the draft decision of the competent supervisory authority of Latvia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR

Summary

1 Adopted Opinion 02/2023 on the draft decision of the competent supervisory authority of Latvia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR Adopted on 3 February 2023 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3)-(8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of…

How it connects

Full text 73 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶1

Adopted Opinion 02/2023 on the draft decision of the competent supervisory authority of Latvia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR Adopted on 3 February 2023

¶2

Adopted

¶3

Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3)-(8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and Article 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the European Data Protection Board (hereinafter “the Board”) is to ensure the consistent application of the GDPR when a supervisory authority (hereinafter “SA”) intends to approve the requirements for accreditation of a code of conduct (hereinafter “code”) monitoring body pursuant to Article 41. The aim of this opinion is therefore to contribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a code monitoring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective in its opinion by: firstly, requesting the competent SAs to draft their requirements for accreditation of monitoring bodies based on article 41(2) GDPR and on the Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (hereinafter the “Guidelines”), using the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly, providing the competent SAs with written guidance explaining the accreditation requirements; and, finally, requesting the competent SAs to adopt the requirements in line with this opinion, so as to achieve a harmonised approach. (2) With reference to Article 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monitoring bodies of approved codes. They shall, however, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and independent manner, thereby facilitating the proper implementation of codes across the Union and, as a result, contributing to the proper application of the GDPR. (3) In order for a code covering non-public authorities and bodies to be approved, a monitoring body (or bodies) must be identified as part of the code and accredited by the competent SA as being capable of effectively monitoring the code. The GDPR does not define the term “accreditation”. However, Article 41 (2) of the GDPR outlines general requirements for the accreditation of the monitoring body. There are a number of requirements, which should be met in order to satisfy the competent supervisory authority to accredit a monitoring body. Code owners are required to explain and 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”.

¶4

Adopted demonstrate how their proposed monitoring body meets the requirements set out in Article 41 (2) GDPR to obtain accreditation. (4) While the requirements for accreditation of monitoring bodies are subject to the consistency mechanism, the development of the accreditation requirements foreseen in the Guidelines should take into consideration the code’s sector or specificities. Competent supervisory authorities have discretion with regard to the scope and specificities of each code, and should take into account their relevant legislation. The aim of the Board’s opinion is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the reputation of GDPR codes of conduct and their monitoring bodies. (5) In this respect, the Guidelines adopted by the Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines, the Board has clarified that even though the accreditation of a monitoring body applies only for a specific code, a monitoring body may be accredited for more than one code, provided it satisfies the requirements for accreditation for each code . (6) The opinion of the Board shall be adopted pursuant to Article 64 (3) GDPR in conjunction with article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decide d that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: SUMMARY OF THE FACTS 1 The Latvian supervisory authority (hereinafter “LV SA”) has submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the Board, requesting its opinion pursuant to Art. 64 (1)(c), for a consistent approach at Union level. The decision on the completeness of the file was taken on 28 October 2022. 2 In compliance with article 10 (2) of the Board Rules of Procedure, due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eight weeks by a further six weeks. ASSESSMENT General reasoning of the Board regarding the submitted draft accreditation requirements 3 All accreditation requirements submitted to the Board for an opinion must fully address Art. 41 (2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21-25). The Board opinion aims at ensuring consistency and a correct application of Art. 41 (2) GDPR as regards the presented draft. 4 This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to Art. 41 (3) and 57 (1) (p) GDPR, all the SAs should cover these basic core requirements

¶5

Adopted foreseen in the Guidelines, and the Board may recommend that the SAs amend their drafts accordingly to ensure consistency. 5 All codes covering non-public authorities and bodies are required to have accredited monitoring bodies. Art. 40 GDPR expressly request SAs, the Board and the Commission to “encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium sized enterprises.” Therefore, the Board recognises that the requirements need to work for different types of codes, applying to sectors of diverse size, addressing various interests at stake and covering processing activities with different levels of risk.

¶6

In some areas, the Board will support the development of harmonised requirements by encouraging the SA to consider the examples provided for clarification purposes.

¶7

When this opinion remains silent on a specific requirement, it means that the Board is not asking the LV SA to take further action.

¶8

This opinion does not reflect upon items submitted by the LV SA, which are outside the scope of Art. 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR, where required. Analysis of the LV SA’s accreditation requirements for Code of Conduct’s monitoring bodies

¶9

Taking into account that: a. Art. 41 (2) GDPR provides a list of accreditation areas that a monitoring body need to address in order to be accredited; b. Art. 41 (4) GDPR requires that all codes (excluding those covering public authorities per Art. 41 (6)) have an accredited monitoring body; and c. Art. 57 (1) (p) & (q) GDPR provides that a competent supervisory authority must draft and publish the accreditation requirements for monitoring bodies and conduct the accreditation of a body for monitoring codes of conduct. the Board is of the opinion that: GENERAL REMARKS

¶10

The Board notes that the reference to the processing carried out by public authorities and bodies provided under section 15 of the Guidelines is missing and, therefore, the Board recommend the LV SA to include such a reference.

¶11

For the sake of consistency and clarity, the Board encourages the LV SA to replace throughout the draft accreditation requirements the term “LVSA” with the term “Competent Supervisory Authority” in line with the terminology used in the Guidelines. At the same time the Board encourages the LV SA to introduce in the draft requirements a definition of the term “Competent Supervisory Authority”, to be understood as the Data State Inspectorate of the Republic of Latvia. 6 Adopted

¶12

For the sake of consistency, the Board encourages the LV SA to adjust terminology used in the requirements to the terminology used in the Guidelines, this applies to the terms ‘code owners’, i. e. to include “and in line with national law”.

¶13

In general, the Board encourages the LV SA to ensure consistency of the wording throughout the text. For instance, in section 4.1 the term “appropriate” expertise is used, while in section 4.3 the word “adequate” experience and knowledge is introduced.

¶14

The Board encourages the LV SA, for the sake of consistency, to use the word/wording “influence” instead of “pressure” (section 2.1.1.e), “mitigate” instead of “make appropriate provisions for” (section 2.1.2.g), “previous and planned” or “previous, current and upcoming” instead of “past or projected” (section 2.2.7.a), “influence” instead of “interference” (section 2.3.1.e, section 3.1.b), “carry out” instead of “discharge”(section 4.1, section 4.3), “shall introduce” instead of “has introduced” (section 5.2), “understandable” instead of “understood” (section 6.1.a).

¶15

The Board notes that on 22 February 2022, “the Guidelines 04/2021 on Codes of Conduct as tools for transfers” were adopted. These guidelines do not add any additional requirements for the accreditation of monitoring bodies that monitor codes of conduct intended for international transfers. Rather, the guidelines provide further specifications of the general requirements established by the Guidelines (Section 12), taking into account the specific context of international transfers. 2 For the sake of clarity, the Board recommends the LV SA to add a reference to the above-mentioned guidelines, which are relevant in the context of monitoring codes of conduct intended for international transfers.

¶16

With reference to section 1.3, the Board understands that when referring to transnational application, a translation into Latvian of the documents submitted in another language shall be attached. Therefore, the Board encourages the LV SA to clarify if the understanding of the Board is correct.

¶17

The Board notes that letters a and b 4 under section 1.6 of the LV SA’s draft accreditation requirements would be better placed in section 3 as evidence in regard to requirements relating to the absence of conflict of interest. Thus, in order to avoid confusion, the EDPB encourages the LV SA to move the paragraphs accordingly. INDEPENDENCE

¶18

With regard to section 2.1 (“Legal status and organisational independence“), for the sake of clarity the Board encourages the LV SA to redraft this section by stating that the monitoring body can act as an internal or external monitoring body vis-à-vis the code owner, “with the choice of a particular approach at the discretion of the code owner”.

¶19

With regard to section 2.1.b, the Board recommends the LV SA to add the wording “appropriately independent in relation to its impartiality of function”, as provided by paragraph 63 of the Guidelines.

¶20

With regard to section 2.1.1.c, the Board recommends the LV SA to add the following word “full” when it refers to autonomy, as provided by paragraph 67 of Guidelines.

¶21

With regard to section 2.1.1.f, in order to provide the same understanding as the one in paragraph 67 of Guidelines, the Board encourages the LV SA to add a reference referring to the independence “in performing its tasks and exercising its power”. 2 See Section4.2 of the EDPB Guidelines 04/2021 on Codes of Conduct as tools for transfers. 7 Adopted

¶22

With regard to section 2.1.2.a, the Board understands that the appointment refers to “members/staff”. However, in order to avoid confusion, the Board encourages the LV SA to make it clearer.

¶23

With regard to section 2.1.2.d, the Board encourages the LV SA to clarify that the declaration shows there are no common interests with the entities to be monitored.

¶24

With regard to section 2.1.2.g, the Board underlines that, according to paragraph 66 of the Guidelines, the independence of a monitoring body should be demonstrated by appropriate safeguards in place to sufficiently mitigate a risk of independence or a conflict of interest . Moreover, a monitoring body will need to identity risks to its impartiality on an ongoing basis. The LV SA’s draft accreditation requirements do not include such references to “conflict of interest” and “impartiality” and, therefore, the Board recommends to amend section 2.1.2.g accordingly.

¶25

Moreover, with regard to the financial support (section 2.2.3), the Board observes that the draft accreditation requirements refer to the means that “shall not adversely affect its independence”. The Board encourages the LV SA to redraft the relevant part of the requirements by adding a reference to “in relation to the task of monitoring compliance with the Code”.

¶26

In addition, the Board considers that the requirements on financial resources would benefit from the inclusion of some examples with regard to the financial independence of the monitoring body, in order to highlight how the monitoring body can demonstrate that the means by which it obtains financial support should not adversely affect its independence (section 2.2). For instance, the monitoring body would not be considered financially independent if the rules governing its financial support allow a code member, who is under investigation by the monitoring body, to stop its financial contributions to it, in order to avoid a potential sanction from the monitoring body. The Board encourages the LV SA to add such clarification and provide examples of how the monitoring body can provide such evidence.

¶27

With respect to internal monitoring bodies (section 2.2.7), the Board recommends the LV SA to add a requirement to prove that the internal monitoring body has a specific separated budget that the monitoring body is able to manage independently.

¶28

Finally, monitoring bodies must have sufficient financial and other resources together with the necessary procedures to ensure the functioning of the code of conduct over time to ensure long-term financing, e. g. when one or more funding sources are no longer available. That is why, with respect to section 2.2.7 of the draft requirements, the Board encourages the LV SA to add a clear indication that financial stability and resources need to be accompanied with the necessary procedures to ensure the functioning of the code of conduct over time.

¶29

With regard to section 2.3.1.a, the Board understands that the reference to “payroll system for its personnel” is an example and encourages the LV SA to clarify the wording, by adding the word “including” before the words “has payroll systems”.

¶30

With respect to section 2.3.1.a and the requirements that an internal body has to demonstrate, the Board notes that the requirements from paragraph 65 of Guidelines referring to the use of effective organizational and information barriers and separate reporting management structures for the association and monitoring body were not included. Therefore, the Board recommends the LV SA to add the missing requirements.

¶31

With respect to section 2.3.1.c, addressing the need for the monitoring body to prove, among others, that it has “adequate” human resources for the effective performance of its functions under Art. 41 8 Adopted (1) GDPR, the Board encourages the LV SA to consider making a reference to “adequate numbers of sufficiently qualified personnel”.

¶32

In addition, the Board notes that the monitoring bodies shall be composed of an adequate and proportionate number of personnel. These organisational aspects could be demonstrated not only through the procedure to appoint the monitoring body personnel, the remuneration of the said personnel, the duration of the personnel’s mandate, but also through contract or other formal agreement with the monitoring body. Therefore, the Board recommends that the LV SA provide the above-mentioned references regarding the independence of the monitoring body in performing its tasks and exercising its powers, in accordance with the Guidelines.

¶33

With regard to section 2.3.1.d, The Board encourages the LV SA to include either in the draft accreditation requirements or in the complementary guidance to the requirements, some examples of the evidence or documentation required in order to demonstrate the accountability of the monitoring body.

¶34

In section 2.3.4.d, the Board recommends that the LV SA adds a clear indication that the monitoring body shall ensure effective monitoring of the services provided by subcontractors. CONFLICT OF INTEREST

¶35

As a general remark in this section, the Board is of the opinion that, for practical reasons, more detailed examples of cases where a conflict of interest could arise might be helpful. An example of a conflict of interest situation would be the case where personnel conducting audits or making decisions on behalf of a monitoring body had previously worked for the code owner, or for any of the organisations adhering to the code. Therefore, the Board encourages the LV SA to elaborate on the examples included in the explanatory note.

¶36

With regard to section 3.1.c, the Board underlines that, according to paragraph 68 of the Guidelines, the monitoring body must remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from any person, organisation or association. The LV SA’s draft accreditation requirements do not include references to the terms “whether direct or indirect” or to the term “association” and, therefore, the Board recommends the LV SA to add such references.

¶37

As regards section 3.1.e, the Board highlights that, according to paragraph 68 of the Guidelines, the body should have its own staff which are chosen by them or some or some other body independent of the code and it should be subject to the exclusive direction of those bodies only. The LV SA’s draft accreditation requirements do not include reference to “other body independent of the code” and, therefore, the Board recommends the LV SA to align the text with the Guidelines by adding “and that other body independent of the code” after the wording “exclusive direction of the monitoring body”.

¶38

With reference to section 3.2, the Board underlines that, according to paragraph 68 of the Guidelines, the monitoring body shall put in place safeguards not only in regard to conflict of interest but also to any incompatible occupation. The LV SA’s draft accreditation requirements do not include reference to “and any incompatible occupation” and, therefore, the Board recommends the LV SA to add such reference after the wording “potential conflict of interest”. 9 Adopted EXPERTISE

¶39

With reference to section 4.1, paragraph 69 of the Guidelines states that the monitoring body has the requisite level of expertise. Therefore, the Board recommends the LV SA to align the text with the Guidelines and require to have a “requisite level” expertise instead of “appropriate” expertise.

¶40

In respect of section 4.2, the Board encourages the LV SA to add also the reference to the previous experience of acting in a monitoring capacity.

¶41

With regard to sections 4.2.a, 4.2.b and 4.2.c referring to “in-depth knowledge and experience”, the Board recommends the LV SA to follow the wording from paragraph 69 of the Guidelines by replacing “in-depth understanding and expert knowledge”. The Board also recommends to add “data protection issues” to the section 4.2.a as this requirement, specified in paragraph 69 of the Guidelines, is important part of the expert-knowledge as it ensures that personnel of the monitoring body is able to assess and reflect not only the data protection law but also specific legal and practical issues that might be relevant in regard to each specific case.

¶42

As regards section 4.2.c, the Board underlines that paragraph 69 of the Guidelines refers to auditing, monitoring or quality assurance activities and, therefore, the Board recommends the LV SA to follow the wording from the Guidelines, i.e. by replacing the word “control” with the ones specified in paragraph 69 of the Guidelines.

¶43

With reference to section 4.4, the Board acknowledges the requirement for the monitoring body to demonstrate that it has expertise in relation to the specific data processing activities addressed by the code. However, as expressed by the Board in previous opinions, other factors such as the size of the sector concerned, the different interests involved and the risks of these processing activities should be taken into account. The Board therefore recommends that this is clarified in the draft accreditation requirements.

¶44

Moreover, the Board notes that the LV SA’s expertise requirements do not differentiate between staff at the management level and, therefore, in charge of the decision-making process, and staff at the operating level, conducting the monitoring activities. In this regard, the Board encourages the LV SA to clarify in section 4.4 which requirements should be met by the staff performing the monitoring function and the personnel making the decisions.

¶45

Furthermore, as regards sections 4.6 and 4.7, the Board considers that the requirements for the personnel are very specific and may curtail the freedom of the code owner to define the specific expertise requirements in the code of conduct. The Board encourages the LV SA to make the requirements less restrictive by including a more general reference that takes into account the different types of codes, such as "a relevant level of experience in accordance with the code itself".

¶46

In addition, the Board observes that the LV SA makes a distinction between legal and technical personnel. The Board encourages the LV SA to clarify that the technical requirements of the personnel will depend on whether it is necessary for the code at stake. ESTABLISHED PROCEDURES AND STRUCTURES

¶47

The Board observes that the requirements based on paragraph 72 of the Guidelines, referring to the publication of audit reports as well as to the findings of periodic reporting from controllers and 10 Adopted processors within the scope of the code, and paragraph 73 of the Guidelines are missing and, therefore, the Board recommends the LV SA to add the missing requirements.

¶48

With reference to section 5.1, the Board highlights that paragraph 70 of the Guidelines refers to “appropriate governance structures” and procedures. The LV SA’s draft accreditation requirements do not include reference to “appropriate governance structures” and, therefore, the Board recommends the LV SA to add such reference.

¶49

With regard to section 5.2.a, the Board underlines that paragraph 71 of the Guidelines refers to “controllers and processors” when it comes to the provisions of the code to be met and, therefore, the Board recommends the LV SA to replace “code members” with “controller and processors”.

¶50

In respect of section 5.2.b, the Board observes that the LV SA’ draft accreditation requirements do not include reference to “random or unannounced audits, annual inspections, regular reporting and the use of questionnaires” as per paragraph 72 of the Guidelines and, therefore, the Board recommends the LV SA to add such a reference. The Board, taking into consideration paragraph 72 of the Guidelines, also recommends to include “specific incidents and the number of members of the code” to the factors that should be considered in regard to procedures specified in section 5.2.b, and those factors is recommended to be drafted in a non-exhaustive list. TRANSPARENT COMPLAINT HANDLING

¶51

Regarding section 6, the Board highlights that section 12.5 of the Guidelines refers to “Transparent complaints handling”. Therefore, the Board recommends the LV SA to align the title of this section in line with the Guidelines.

¶52

With reference to section 6.1 of the LV SA’s draft accreditation requirements, the Board considers that, according to paragraph 74 of the Guidelines, the monitoring body will need to establish effective procedures and structures which can deal with complaints handling in an impartial and transparent manner. Therefore, the Boards recommends the LV SA that the requirement is redrafted accordingly.

¶53

With regard to section 6.1.b, paragraph 76 of the Guidelines refers to “immediate” suitable measures and, therefore, the Board recommends the LV SA to adapt the wording accordingly.

¶54

In addition, regarding the remedial actions and sanctions, the Board recommends the LV SA to amend the text in order to make references to “a formal notice requiring the implementation of specific actions within a specified deadline” and “temporary suspension”.

¶55

Finally, as regards section 6.1.b, the Board understands that the corrective measures refer to the situation when the controller or processor from the code “acts outside the terms of the code”. However, for clarity reasons, the Board encourages the LV SA to make it clearer. COMMUNICATION WITH THE LV SA

¶56

The Board notes that under section 7 of the requirements there is no reference to the fact that the updating of the code of conduct is the responsibility of the code owner. The Board is of the opinion that, in order to avoid confusion, a reference to the code owner should be made. Therefore, the Board encourages the LV SA to add that the monitoring body shall apply and implement updates, amendments, and/or extensions to the Code, as decided by the code owner. 11 Adopted

¶57

With respect to section 7.2, the Board notes that the LV SA’s draft accreditation requirements do not refer to the “effective communication” of any actions carried out by a monitoring body to the LV SA and, therefore, the Board recommends the LV SA to include such a reference.

¶58

As regards section 7.2.f, the Board encourages the LV SA to specify in its draft accreditation requirements that substantial changes include but are not limited to any changes that impacts the ability of the monitoring body to perform its tasks in an independent, impartial and efficient manner.

¶59

In addition, the Board encourages the LV SA to specify in section 7.2.g that the annual report prepared by the monitoring body should include reviews and/or changes made to the code. REVIEW MECHANISMS

¶60

The Board observes that the requirement from paragraph 80 of the Guidelines, which states that the monitoring body shall set out appropriate review mechanisms to ensure that the code remains relevant and continues to contribute to the proper application of the GDPR, was not included. Therefore, the Board recommends the LV SA to add the missing requirement. LEGAL STATUS

¶61

The Board notes that the requirement from paragraph 81 of the Guidelines, which states that the monitoring body has the appropriate standing to carry out its role under Art. 41(4) and is capable of being fined as per Art. 83 (4) GDPR, was not included. Therefore, the Board recommends the LV SA to add the missing requirement. CONCLUSIONS / RECOMMENDATIONS

¶62

The draft accreditation requirements of the LV Supervisory Authority may lead to an inconsistent application of the accreditation of monitoring bodies and the following changes need to be made:

¶63

Regarding general remarks the Board recommends that the LV SA: 1. includes a reference that the monitoring of approved codes of conduct will not apply to processing carried out by public authorities or bodies; 2. adds a reference to the Guidelines 04/2021, which are relevant in the context of monitoring codes of conduct intended for international transfers.

¶64

Regarding independence the Board recommends that the LV SA: 1. adds the following wording “appropriately independent in relation to its impartiality of function” in section 2.1.b; 2. adds the word “full” in section 2.1.1.c when it refers to autonomy; 3. redrafts section 2.1.2.g to include references to “conflict of interest” and “impartiality”; 4. adds in section 2.2.7 a requirement to prove that the internal monitoring body has a specific separated budget that monitoring body is able to manage independently; 5. adds in section 2.3.1.a a requirement referring to the use of effective organizational and information barriers and separate reporting management structures for the association and monitoring body; 12 Adopted 6. includes in section 2.3.1 the references mentioned in paragraph 31 of this Opinion concerning the independence of the monitoring body in performing its tasks and exercising its powers; 7. makes explicit that the monitoring body shall ensure effective monitoring of the services provided by subcontractors.

¶65

Regarding conflict of interest the Board recommends that the LV SA: 1. includes in section 3.1.c references to “whether direct or indirect” and “association”, in line with the Guidelines; 2. aligns the text of the section 3.1.e with the Guidelines by adding “and that other independent body of the code” after the wording “exclusive direction of the monitoring body”; 3. aligns the text of section 3.2 with the Guidelines by adding “and any incompatible occupation” after the wording “potential conflict of interest”.

¶66

Regarding expertise the Board recommends that the LV SA: 1. aligns the text of section 4.1 with the Guidelines by using “requisite level” expertise instead of “appropriate” expertise; 2. replaces “in-depth knowledge and experience” with “in-depth understanding and expert knowledge” in sections 4.2.a, 4.2.b and 4.2.c and adds the wording “data protection issues” in section 4.2.a; 3. follows the wording of paragraph 69 from the Guidelines, by replacing the word “control” with “auditing, monitoring or quality assurance activities”; 4. clarifies that other factors such as the size of the sector concerned, the different interests involved and the risks of these processing activities should be taken into account in order to assess the level of expertise required by the monitoring body.

¶67

Regarding established procedures and structures the Board recommends that the LV SA: 1. includes in section 5.2 a requirement referring to the publication of audit reports as well as to the findings of periodic reporting from controllers and processors within the scope of the code; 2. includes requirements based on paragraph 73 of the Guidelines; 3. aligns the text in section 5.1 with the Guidelines by adding “appropriate governance structures” after the wording “has introduced”; 4. aligns the text of section 5.2.a with the Guidelines by replacing “code members” with “controller and processors”; 5. adds in section 5.2.b some examples in the requirements, such as random or unannounced audits, annual inspections, regular reporting and the use of questionnaires. In addition, it should be included the “specific incidents and the number of members of the code” to the factors that should be considered in regard to the procedures specified in section 5.2.b and those factors to be drafted in non-exhaustive list.

¶68

Regarding transparent complaint handling the Board recommends that the LV SA: 1. aligns the title of section 6 with the Guidelines, which refers to “Transparent” complaints handling; 13 Adopted 2. redrafts the requirement in section 6.1 in line with paragraph 74 of the Guidelines, by adding that the monitoring body shall establish effective procedures and structures which can deal with complaints handling in an impartial and transparent manner; 3. aligns the text of section 6.1.b with paragraph 76 of the Guidelines, by adding the word “immediate” before suitable measures. In addition, regarding the remedial actions and sanctions, it should be included a reference to “a formal notice requiring the implementation of specific actions within a specified deadline” and “temporary” suspension.

¶69

Regarding communication with the competent supervisory authority the Board recommends that the LV SA: 1. redrafts section 7.2 to include the reference to the “effective communication” of any actions carried out by a monitoring body to the LV SA; 2. redrafts section 7.2 to include reference to the “effective communication” to “other supervisory authorities”, as far as transnational codes are concerned.

¶70

Regarding review mechanisms the Board recommends that the LV SA: 1. adds in section 8.1 a requirement stating that the monitoring body shall set out appropriate review mechanisms to ensure that the code remains relevant and continues to contribute to the proper application of the GDPR.

¶71

Regarding legal status the Board recommends that the LV SA: 1. modify section 9.1 in order to include that the monitoring body has the appropriate standing to carry out its role under Article 41(4) and is capable of being fines as per Art. 83(4) GDPR. FINAL REMARKS

¶72

This opinion is addressed to the Latvian supervisory authority and will made public pursuant to Art. 64 (5) (b) GDPR.

¶73

According to Art. 64 (7) and (8) GDPR, the LV SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 74. The LV SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with Art. 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)

Similar Content