Skip to content
Guidance · EDPB ·12023-on-the-draft-decision-of-the-competent EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 1/2023 on the draft decision of the competent supervisory authority of Croatia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR

Summary

Adopted 1 Opinion 1/2023 on the draft decision of the competent supervisory authority of Croatia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR Adopted on 3 February 2023 Adopted 2 Table of c ontents 1 Summary of the Facts................................................................................................................... 4 2 Assessment…

How it connects

Full text 76 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶1

Opinion 1/2023 on the draft decision of the competent supervisory authority of Croatia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 GDPR Adopted on 3 February 2023 Adopted

¶2

Table of c ontents 1 Summary of the Facts................................................................................................................... 4 2 Assessment .................................................................................................................................. 4

¶2.1

General reasoning of the EDPB regarding the submitted draft decision ............................... 4

¶2.2

Analysis of the HR SA’s accreditation requirements for Code of Conduct’s monitoring bodies 5

¶2.2.1

GENERAL REMARKS ....................................................................................................... 5

¶2.2.2

APPLICATION REQUIREMENTS ...................................................................................... 6

¶2.2.3

INPEPENDENCE ............................................................................................................. 7

¶2.2.4

CONFLICT OF INTEREST ................................................................................................. 9

¶2.2.5

EXPERTISE...................................................................................................................... 9

¶2.2.6

ESTABLISHED PROCEDURES AND STRUCTURES ............................................................. 9

¶2.2.7

TRANSPARENT COMPLAINT HANDLING ...................................................................... 10

¶2.2.8

COMMUNICATION WITH THE HR SA ........................................................................... 10

¶2.2.9

CODE REVIEW MECHANISM ........................................................................................ 11

¶2.2.10

LEGAL STATUS ............................................................................................................. 11

¶3

Conclusions / Recommendations ............................................................................................... 11

¶4

Final Remarks ............................................................................................................................. 13 Adopted 3 The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3)-(8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to Article 10 and Article 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the European Data Protection Board (hereinafter “the Board”) is to ensure the consistent application of the GDPR when a supervisory authority (hereinafter “SA”) intends to approve the requirements for accreditation of a code of conduct (hereinafter “code”) monitoring body pursuant to Article 41 GDPR. The aim of this opinion is therefore to contribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a code monitoring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective in its opinion by: firstly, requesting the competent SAs to draft their requirements for accreditation of monitoring bodies based on Article 41 (2) GDPR and on the Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (hereinafter the “Guidelines”), using the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly, providing the competent SAs with written guidance explaining the accreditation requirements; and, finally, requesting the competent SAs to adopt the requirements in line with this opinion, so as to achieve an harmonised approach. (2) With reference to Article 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monitoring bodies of approved codes. They shall, however, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and independent manner, thereby facilitating the proper implementation of codes across the Union and, as a result, contributing to the proper application of the GDPR. (3) In order for a code covering non-public authorities and bodies to be approved, a monitoring body (or bodies) must be identified as part of the code and accredited by the competent SA as being capable of effectively monitoring the code. The GDPR does not define the term “accreditation”. However, Article 41 (2) of the GDPR outlines general requirements for the accreditation of the monitoring body. There are a number of requirements, which should be met in order to satisfy the competent supervisory authority to accredit a monitoring body. Code owners are required to explain and demonstrate how their proposed monitoring body meets the requirements set out in Article 41 (2) GDPR to obtain accreditation. 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. Adopted 4 (4) While the requirements for accreditation of monitoring bodies are subject to the consistency mechanism, the development of the accreditation requirements foreseen in the Guidelines should take into consideration the code’s sector or specificities. Competent supervisory authorities have discretion with regard to the scope and specificities of each code and should take into account their relevant legislation. The aim of the Board’s opinion is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the reputation of GDPR codes of conduct and their monitoring bodies. (5) In this respect, the Guidelines adopted by the Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines, the Board has clarified that even though the accreditation of a monitoring body applies only for a specific code, a monitoring body may be accredited for more than one code, provided it satisfies the requirements for accreditation for each code. (6) The opinion of the Board shall be adopted pursuant to Article 64 (3) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decided that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FLLOPINION: 1 SUMMARY OF THE FACTS 1 The Croatian Supervisory Authority (hereinafter “HR SA”) has submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the Board requesting its opinion pursuant to Art. 64 (1)(c) GDPR, for a consistent approach at Union level. The decision on the completeness of the file was taken on 27 October 2022. 2 In compliance with article 10 (2) of the Board Rules of Procedure, due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eight weeks by a further six weeks. 2 ASSESSMENT 2.1 General reasoning of the EDPB regarding the submitted draft decision 3 All accreditation requirements submitted to the Board for an opinion must fully address Art. 41 (2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21-25). The Board’s opinion aims at ensuring consistency and a correct application of Art. 41 (2) GDPR as regards the presented draft. 4 This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to Art. 41 (3) and 57 (1) (p) GDPR, all the SAs should cover these basic core requirements foreseen in the Guidelines, and the Board may recommend that the SAs amend their drafts accordingly to ensure consistency. Adopted 5

¶5

All codes covering non-public authorities and bodies are required to have accredited monitoring bodies. Art. 40 (1) GDPR expressly request SAs, the Board and the Commission to “encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium sized enterprises”. Therefore, the Board recognises that the requirements need to work for different types of codes, applying to sectors of diverse size, addressing various interests at stake and covering processing activities with different levels of risk.

¶6

In some areas, the Board will support the development of harmonised requirements by encouraging the SA to consider the examples provided for clarification purposes.

¶7

When this opinion remains silent on a specific requirement, it means that the Board is not asking the HR SA to take further action.

¶8

This opinion does not reflect upon items submitted by the HR SA, which are outside the scope of Art. 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR, where required. 2.2 Analysis of the HR SA’s accreditation requirements for Code of Conduct’s monitoring bodies

¶9

Taking into account that: a. Art. 41 (2) GDPR provides a list of accreditation areas that a monitoring body need to address in order to be accredited; b. Art. 41 (4) GDPR requires that all codes (excluding those covering public authorities as per Art. 41 (6)) have an accredited monitoring body; and c. Art. 57 (1) (p) & (q) GDPR provides that a competent supervisory authority must draft and publish the accreditation requirements for monitoring bodies and conduct the accreditation of a body for monitoring codes of conduct. the Board is of the opinion that: 2.2.1 GENERAL REMARKS

¶10

The Board notes that on 22 February 2022, the “Guidelines 04/2021 on Codes of Conduct as tools for transfers” were adopted. These guidelines do not add any additional requirements for the accreditation of monitoring bodies that monitor codes of conduct intended for international transfers. Rather, the guidelines provide further specifications of the general requirements established by Guidelines 1/2019 (Section 12) taking into account the specific context of international transfers. 2 For the sake of clarity, the Board recommends the HR SA to add a reference to the above-mentioned guidelines, which are relevant in the context of monitoring codes of conduct intended for international transfers, for example by amending the last paragraph of the “Introduction” part as follows: “The requirements listed in this document are based on the requirements of Article 41 paragraph (2) of the GDPR and the requirements set out in section 12 of the EDPB Guidelines and taking into account Guidelines 04/2021 on Codes of Conduct as tools for transfers.” 2 See Section 4.2 of the EDPB Guidelines 04/2021 on Codes of Conduct as tools for transfer. Adopted 6

¶11

As a general remark, the Board recommends that the HR SA amends the definition section in the introductory part of the document to align the definitions contained in the document with those of section 2 of the Guidelines. The Board is of the opinion that the HR SA may use definitions which content is not that of the Guidelines only for terms which are not directly defined in the Guidelines.

¶12

The Board also believes that the HR SA shall use the same wording as the GDPR where relevant and appropriate.

¶13

In general terms, the Board also encourages that HR SA to use prescriptive language all across the document. For example, at section 1, as far as translations are concerned, the HR SA shall say that it “will” request a translation instead of “may” request a translation.

¶14

By way of a general encouragement, the HR SA should correct any typos or formatting errors in the text of the document.

¶15

The Board has also observed that at section 2.1 of the document titled “General Requirements”, it is stated that “If the Monitoring body is a natural person, it must, in particular, prove that it has the necessary human and financial resources […] ” and “[…] in the event of an unforeseen event leading to a sudden, temporary or permanent loss of the Monitoring body role, that the monitoring activities may be continued uninterrupted.” The Board encourages the HR SA to specify and further develop those requirements in order for such a monitoring body to be accredited. These requirements could include being able to demonstrate the availability of adequate resources for the specific duties and responsibilities, as well as the full operation of the monitoring mechanism over time. Another example could include the resignation by the person concerned, or his or her temporary inability. 2.2.2 APPLICATION REQUIREMENTS

¶16

With reference to the second minimum information requirement of the application, being that “The Monitoring body’s residence or registered office, which in either case shall be placed in the European Economic Area (EEA)”, the Board recommends that the HR SA specifies, for example by means of a footnote, that monitoring bodies acting in the framework of codes for transfers could be located either inside or also outside of the EEA provided that the concerned monitoring body has an establishment in the EEA.

¶17

Along the same lines, the Board recommends that HR SA amends the first paragraph of section 2.1 (“General requirements”), which stipulates the following: “The Monitoring body must be a legal entity with a registered office or, if a natural person, have their headquarters or domicile, to exercise the professional activity as a Monitoring body in the European Economic Area (EEA)”. As per the above, monitoring bodies acting in the framework of codes for transfers could be located either inside or also outside of the EEA, provided that the concerned monitoring body has an establishment in the EEA.

¶18

The Board encourages the HR SA to remove the following sentence in the last paragraph of section 2.1, given that it is redundant with the sentence immediately after: “The Monitoring body must document the principles of its monitoring activities in writing”.

¶19

For the sake of certainty, the Board also encourages the HR SA to specify that the obligation to provide evidence of the requirements falls upon the monitoring body, and that such evidence must be provided at the application stage. Adopted 7 2.2.3 INPEPENDENCE

¶20

The Board is of the opinion that the independence for a monitoring body should be understood as a series of formal rules and procedures for the appointment, terms of reference and operation of the monitoring body. These rules and procedures will allow the monitoring body to perform the monitoring of compliance with a code of conduct in complete autonomy, without being directly or indirectly influenced, or subjected to any form of pressure that might affect its decisions. This means that a monitoring body should not be in a position to receive any instructions regarding the exercise of its task from code members, the profession, industry or sector to which the code applies, or from the code owner itself.

¶21

In this regard, the Board notes that paragraph 63 of the Guidelines stipulates that the monitoring body shall be appropriately independent in relation to its impartiality of functions from the code members, the code owner and from the profession, industry or sector to which the code applies. The Board appreciates that the HR SA transposed this requirement into the document. However, the Board recommends that, in order for the text to be consistent with the Guidelines, the HR SA adds the above cited reference to the impartiality of functions.

¶22

Having read the second paragraph of section 2.2 of the HR SA’s accreditation requirements, the Board is of the opinion that such part of the document does not include all the elements which the monitoring body may use as evidence to demonstrate its independence as listed in paragraph 63 of the Guidelines. The Board therefore encourages the HR SA to refer to the monitoring body’s funding, the appointment of members/staff, decision making process and more generally to the organisational structure in this respect.

¶23

In the fourth paragraph of the “Independence” section, the HR SA mentions specifically internal monitoring bodies in relation to their independence. The Board encourages the HR SA to include more details in this respect by adding a reference to the illustrative elements related to the independence of internal monitoring bodies, listed in paragraph 65 of the Guidelines.

¶24

Having examined section 2.2.1 of the document, titled “Legal and decision-making procedures”, the Board acknowledges that the HR SA stipulates that “the duration or expiration of the mandate of the monitoring body must be regulated in such a way to prevent overdependence on a renewal or fear of losing the appointment, to an extent that adversely effects the independence in carrying out the monitoring activities by the Monitoring body.” The Board is of the opinion that such a requirement should be expanded by establishing the maximum duration of the term of the monitoring body. In this respect, the Board encourages the HR SA that the maximum duration of the term of the monitoring body should be indicated.

¶25

The Board is of the opinion that in the last paragraph of section 2.2.1 (the one before the list), the word “pressure” should be replaced with “influence” to be more in line with the spirit of the Guidelines. Hence, the Board encourages the HR SA to amend requirements accordingly.

¶26

In sub-section 2.2.2, dedicated to the financial resources of the monitoring body, the Board recommends that the HR SA includes a reference to the specific instance where the monitoring body would not be considered to be financially independent if the rules governing its financial support allow a code member, who is under investigation by the monitoring body, to stop its financial contributions to it, in order to avoid a potential sanction from the monitoring body.

¶27

In respect of financial resources, the Board recommends that the HR SA also adds a specific requirement whereby, in particular in the case of an internal monitoring body, the monitoring body Adopted 8 must prove full autonomy for the management of the budget or other resources. The Board further encourages that the HR SA adds a requirement to prove that the internal monitoring body has a specific separate budget allocated to it by the code owner and which it is able to manage independently.

¶28

The Board also encourages that, in the same sub-section, the HR SA specifies that the monitoring body must have sufficient financial and other resources together with the necessary procedures to ensure the functioning of the code of conduct over time to ensure long-term financing, i.e. in case one or more funding sources are no longer available.

¶29

In the matter of organisational resources and structure (sub-section 2.2.3), the HR SA appropriately stated in the document that the monitoring body “must be composed of an adequate and proportionate number of personnel […]”. However, the Board considers that a higher degree of specificity is required in this context and therefore encourages the HR SA to replace the adjective “adequate” with “sufficient numbers of properly qualified personnel”.

¶30

In addition to the above, in relation to the same requirement related to organisational resources and structure, the Board encourages the HR SA to specify how these aspects could be demonstrated by the monitoring body, for example through the procedure to appoint the monitoring body personnel, the remuneration of the said personnel as well as the duration of the personnel’s mandate and the contract or other formal agreement with the monitoring body.

¶31

Insofar as internal monitoring bodies are concerned, the HR SA correctly stated in the document that in case such a body is set up within a code owner, the monitoring body must remain structurally separated from the other areas of the code owner’s structure up to and including the level below the senior management. The Board believes that this requirement should be expanded further in line with the Guidelines, and particularly with paragraph 65 thereof. In this respect, the Board encourages the HR SA to specify that the requirements of separate staff and management, accountability and function from other areas of the organisation of an internal monitoring body may be achieved in a number of ways, for example, by putting in place effective organisational and information barriers and separate reporting management structures for the code owner.

¶32

The Board takes note that the HR SA in the document identified two main ways by means of which the monitoring body can demonstrate its organisational independence. These include, on the one hand, the identification of risks to its organisational independence and how it will remove or minimize such risks and use an appropriate mechanism for safeguarding impartiality, and on the other hand for internal monitoring bodies, setting-up of the organization and information concerning its relationship to its larger entity (i.e., the code owner). In the Board’s view, there are other manners upon which the monitoring body can rely in order to demonstrate its independence, such as for example: • the procedure to appoint its personnel; • the remuneration of its personnel; • the duration of its mandate; and, or • contracts or other forms of agreement with the monitoring body. Thus, the Board encourages the HR SA to include in the document the additional requirements set out above. Adopted 9 2.2.4 CONFLICT OF INTEREST

¶33

In the section of the document dedicated to “Conflict of interest”, the HR SA appropriately wrote that “in accordance with Article 41 paragraph 2 point (d) of the GDPR, it must be demonstrated that the exercise of the Monitoring body’s tasks and duties do not result in a conflict of interest.” The Board believes that it is the responsibility of the monitoring body to demonstrate this; hence, it encourages the HR SA to re-draft this sentence and amend it accordingly.

¶34

Furthermore, as far as conflict of interest is concerned, the Board notes paragraph 68 of the Guidelines prescribes that “the monitoring body must remain free from external influence, whether direct or indirect, and shall neither seeks not take instructions from any person, organisation or association”. Whilst the Board appreciates that the HR SA stated in the document that the monitoring body must be free of external influence, whether direct or indirect, the Board recommends that the HR SA specifies that the monitoring Body shall neither seeks not take instructions from any person, organisation or association, to fully align the document with the wording of the Guidelines. 2.2.5 EXPERTISE

¶35

As a general remark, having read sub-section 2.4 of the document on “Expertise”, the Board is of the opinion that this part should contain more details and reflect all the requirements of paragraph 69 of the Guidelines.

¶36

In particular, the code owners should be able to demonstrate that the monitoring body has the requisite level of expertise to carry out its role in an effective manner. As such, the application will need to include details as to the knowledge and experience of the body in respect of data protection law as well as of the particular sector or processing activity covered by the scope the code. For example, being able to point to previous experience of acting in a monitoring capacity for a particular sector may assist in meeting this requirement. Furthermore, an in-depth understanding of data protection issues and expert knowledge of the specific processing activities which are the subject matter of the code would be welcomed. The staff of the proposed monitoring body should also have appropriate operational experience and training for carrying out the monitoring of compliance such as in the field of auditing, monitoring, or quality assurance activities. Therefore, the Board recommends that the HR SA amends this sub-section to align it with the wording of paragraph 69 of the Guidelines.

¶37

The Board notes that the document does not make reference to the legal expertise of the monitoring body, which is also relevant to carry out its monitoring function in an appropriate manner. The Board thus encourages the HR SA to include a requirement specifically on legal expertise. On the other hand, as of technical expertise, the Board encourages that the HR SA specifies that this is also a requirement, depending on the subject-matter of the code to be monitored. 2.2.6 ESTABLISHED PROCEDURES AND STRUCTURES

¶38

The HR SA included requirements about “Established procedures and structures” in section 2.5 of the document. In the opening of this section, the HR SA refers to “feasible monitoring mechanism”. In view of respecting as much as possible the content of section 12.4 of the Guidelines, the Board encourages that the HR SA replaces this with “appropriate governance and procedures”. Further to this, the Board encourages that the HR SA adds a list of the actions, as presented in paragraph 70 of the Guidelines, which allow the monitoring body to adequately: Adopted 10 • assess for eligibility of controllers and processors to apply the code; • monitor compliance with its provisions; and • carry out reviews of the code’s operation.

¶39

Further to the above, as of the procedures to actively and effectively monitor code members’ compliance with a code’s provisions, the Board encourages that the HR SA includes some examples, such as random or unaccounted audits, annual inspections, regular reporting or the use of questionnaires.

¶40

The Board encourages the HR SA to clarify that the word “expulsion” as used in this paragraph is to be interpreted as “exclusion”, which is term used in the GDPR. Furthermore, for the sake of clarity, the Board recommends that in the sentence “The Monitoring body must establish the basis and scope of its activities prior to the start of monitoring tasks to ensure transparency for the Code members and to allow for verification by the Croatian DPA”, the word “basis” is deleted.

¶41

In order to align the document with paragraph 72 of the Guidelines, the Board recommends that the HR SA adds that monitoring procedures can be designed in different ways as long as they take into account factors such as the risks raised by the data processing in scope of the code, complaints received or specific incidents and the number of members of the code etc., and that consideration could be given to the publication of audit reports as well as to the findings of periodic reporting from controllers and processors within the scope of the code.

¶42

Concerning the requirement in document that “The Monitoring body must establish ad hoc procedures (triggered for example on the basis of an inquiry or complaint from a data subject) to actively and effectively monitor the Code members’ compliance with the Code’s provisions”, the Board recommends that the word “ad hoc” is deleted, given that procedures should be permanent. 2.2.7 TRANSPARENT COMPLAINT HANDLING

¶43

As for transparent complaint-handling, the Board recommends that the HR SA includes the contents of paragraphs 75 to 77 of the Guidelines in the document. In doing so, the HR SA should adapt the requirements to the wording of the Guidelines. For example, the HR SA should specify that the monitoring body must demonstrate that it has documented procedures and structures to enable it to receive, assess and handle complaints in an impartial and transparent manner.

¶44

The Board additionally recommends that the HR SA adds a requirement to the document to the effect that the monitoring body needs to have a publicly available complaints-handling process which is sufficiently resourced to manage complaints and to ensure that decisions of the body are made publicly available, as per the relevant part of the Guidelines.

¶45

Finally, the Board recommends that the HR SA further expands the second paragraph of this section of the document, which reads that “For example, evidence of complaints handling procedure could be a described process to receive, evaluate, track, record and resolve complaints”. In the Board’s opinion, the HR SA should include the examples given by the Board in the Guidelines in the box between paragraphs 74 and 75 for added clarity. 2.2.8 COMMUNICATION WITH THE HR SA

¶46

As for the matter of communication with the HR SA, the Board recommends that the contents of the corresponding section of the Guidelines are incorporated in the document. In this regard, the Board Adopted 11 recommends that the first paragraph of section 2.7 of the document is redrafted in alignment with paragraph 78 of the Guidelines by specifying that the actions concerned could include decisions concerning the actions taken in cases of infringement of the code by a code member, providing periodic reports on the code, or providing review or audit findings of the code.

¶47

The Board additionally recommends that the HR SA makes reference to the effective communication with other competent supervisory authorities and not only with the HR SA, as the case may be and as the need may arise. 2.2.9 CODE REVIEW MECHANISM

¶48

As a general remark, the Board recommends that section 2.8 is aligned with the corresponding section 12.7 of the Guidelines. Particularly, the Board recommends that the HR SA adds that review mechanisms should also be put in place to adapt to any changes in the application and interpretation of the law or where there are new technological developments which may have an impact upon the data processing carried out by its members or the provisions of the code, as per paragraph 80 of the Guidelines. 2.2.10 LEGAL STATUS

¶49

With regard to the legal status of the monitoring body, the Board recommends that the HR SA changes the wording to say that instead of “capable of being legally responsible for its monitoring activities”, the monitoring body must be “capable of being fined” to align the wording with paragraph 81 of the Guidelines.

¶50

Concerning the sentence “The Monitoring body must demonstrate that it is able to deliver the Code of conduct’s monitoring mechanism over a suitable period of time”, the Board encourages the HR SA to replace the word “deliver” with “apply”, which the Board considers more appropriate.

¶51

The Board encourages the HR SA to specify in the document that the monitoring body can be subject to sanctions by the competent supervisory authority for failing to comply with its obligations, or for failing to act appropriately when the rules of the code of conduct are breached. 3 CONCLUSIONS / RECOMMENDATIONS

¶52

The draft accreditation requirements of the HR SA may lead to an inconsistent application of the accreditation of monitoring bodies and the following changes need to be made.

¶53

Regarding general remarks, the Board recommends that the HR SA: 1. adds a reference to the Guidelines 04/2021 on Codes of Conduct as tools for transfers; and 2. amends the definition section in line with the definitions of the Guidelines.

¶54

Regarding application requirements, the Board recommends that the HR SA: 1. specifies, that monitoring bodies acting in the framework of codes for transfers could be located either inside or also outside of the EEA provided that the concerned monitoring body has an establishment in the EEA 2. amends the first paragraph of section 2.1 in line with the above. Adopted 12

¶55

Regarding independence, the Board recommends that the HR SA: 1. makes reference to the impartiality of functions as described in paragraph 63 of the Guidelines; 2. includes a reference to the specific instance whereby the monitoring body would not be considered to be financially independent if the rules governing its financial support allow a code member, who is under investigation by the monitoring body, to stop its financial contributions to it, in order to avoid a potential sanction from the monitoring body; and 3. adds a specific requirement that, in particular in the case of an internal monitoring body, the monitoring body must prove full autonomy for the management of the budget or other resources.

¶56

Regarding conflict of interest, the Board recommends that the HR SA specifies that the monitoring body shall neither seek nor take instructions from any person, organisation or association.

¶57

Regarding expertise, the Board recommends that the HR SA aligns sub-section 2.4 of the draft with the wording of paragraph 69 of the Guidelines.

¶58

Regarding established procedures and structures, the Board recommends that the HR SA: 1. in the sentence “The Monitoring body must establish the basis and scope of its activities prior to the start of monitoring tasks to ensure transparency for the Code members and to allow for verification by the Croatian DPA”, deletes the word “basis”; 2. adds that monitoring procedures can be designed in different ways as long as they take into account factors such as the risks raised by the data processing in scope of the code, complaints received or specific incidents and the number of members of the code, etc., and that consideration could be given to the publication of audit reports as well as to the findings of periodic reporting from controllers and processors within the scope of the code; and 3. deletes the word “ad hoc” with reference to procedures, given that procedures must be permanent.

¶59

Regarding transparent complaint-handling, the Board recommends that the HR SA: 1. includes the contents of paragraphs 75 to 77 of the Guidelines in the document; 2. adds a requirement to the document to the effect that the monitoring body needs to have a publicly available complaints-handling process which is sufficiently resourced to manage complaints and to ensure that decisions of the body are made publicly available, as per the relevant part of the Guidelines; and 3. for added clarity, further expands the second paragraph of this section of the document with the examples given by the Board in the Guidelines in the box between paragraphs 74 and 75.

¶60

Regarding communication with the HR SA, the Board recommends that the HR SA: 1. incorporates into the document the text of the corresponding section of the Guidelines; and 2. refers to the effective communication with other competent supervisory authorities and not only with the HR SA, as the case may be and as the need may arise. Adopted 13

¶61

Regarding code review mechanisms, the Board recommends that the HR SA aligns section 2.8 with the correspondent section of the Guidelines. Particularly, the Board recommends that the HR SA adds that review mechanisms should also be put in place to adapt to any changes in the application and interpretation of the law or where there are new technological developments which may have an impact upon the data processing carried out by its members or the provisions of a code, as per paragraph 80 of the Guidelines.

¶62

Regarding legal status, the Board recommends that the HR SA changes the sentence reading “capable of being legally responsible for its monitoring activities”, to instead be worded to the effect that the monitoring body must be “capable of being fined”, in order to align the wording with paragraph 81 of the Guidelines. 4 FINAL REMARKS

¶63

This opinion is addressed to the HR SA and will be made public pursuant to Art. 64 (5) (b) GDPR.

¶64

According to Art. 64 (7) and (8) GDPR, the HR SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. The HR SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with Art. 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)

Similar Content