# Opinion 37/2021 on the draft decision of the competent supervisory authority of Malta regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR

- Type: Guidance
- Source: EDPB
- Identifier: opinion-372021-on-the-draft-decision-of-the-competent-en
- Date: 2021-11-30
- Original: https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-372021-on-the-draft-decision-of-the-competent_en
- Canonical: https://overview.legal/posts/125977
- Topics: Compliance Independence, Scientific Panel Independence, Codes of Practice Compliance and Monitoring, Corrective Actions and Duty of Information Framework, Codes of Conduct, Risk Management System, Identification, Monitoring, Notified Body Independence, Supervisory Authorities

## Summary

Adopted Opinion 37 / 202 1 on the draft decision of the competent supervisory authority of Malta regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR Adopted on 30 November 2021 Adopted Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of…

## Sections (51)

### ¶0

30 November 2021 Adopted Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

### ¶1

Having regard to Article 10 and Article 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the European Data Protection Board (hereinafter “the Board”) is to ensure the consistent application of the GDPR when a supervisory aut hority (hereinafter “SA”) intends to approve the requirements for accreditation of a code of conduct (hereinafter “code”) monitoring body pursuant to article 41. The aim of this opinion is therefore to contribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a code monitoring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of require ments for accreditatio n, it does promote consistency. The Board seeks to achieve this objective in its opinion by: firstly, requesting the competent SAs to draft their requirements for accreditation of monitoring bodies based on article 41(2) GDPR and on t he Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (hereinafter the “Guidelines”) , using the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly, providing the compe tent SAs with written guidance explaining the accreditation requirements; and, finally, requesting the competent SAs to adopt the requirements in line with this opinion, so as to achieve an harmonised approach. (2) With reference to article 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monito ring bodies of approved codes. They shall, however, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and independent manner, thereby facilitating the proper implementation of codes across the Union and, as a result, contributing to the proper application of the GDPR. (3) In orde r for a code covering non - public authorities and bodies to be approved, a monitoring body (or bodies) must be identified as part of the code and accredited by the competent SA as being capable of effectively monitoring the code. The GDPR does not define th e term “ accreditation ” . However, article 41 (2) of the GDPR outlines general requirements for the accreditation of the monitoring body. There are a number of requirements , which should be met in order to satisfy the competent supervisory authority to accre dit a monitoring body. Code owners are required to explain and 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. Adopted demonstrate how their proposed monitoring body meets the requirements set out in article 41 (2) GDPR to obtain accreditation. (4) While the requirements for accreditation of monitoring bodies a re subject to the consistency mechanism, the development of the accreditation requirements foreseen in the Guidelines should take into consideration the code ’s sector or specificities. Competent supervisory authorities have discretion with regard to the sc ope and specificities of each code, and should take into account their relevant legislation. The aim of the Board ’s opinion is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the reputati on of GDPR codes of conduct and their monitoring bodies. (5) In this respect, the Guidelines adopted by the Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines, the Board has clarified that even thou gh the accreditation of a monitoring body applies only for a specific code, a monitoring body may be accredited for more than one code, provided it satisfies the requirements for accreditation for each code . (6) The opinion of the Board shall be adopted p ursuant to article 64 (3) GDPR in conjunction with article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decide d that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: SUMMARY OF THE FACTS 1 The Office of the Information and Data Protection Commissioner of Malta ( hereinafter “ MT SA ” ) has submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the Board , requesting its opinion pursuant to article 64 (1)(c) , for a consistent approach at Union level. The decision on the completeness of the file was taken on 5 October 2021 . ASSESSMENT General reasoning of the Board regarding the submitted draft accreditation requirements

### ¶2

All accreditation requirements submitted to the Board for an opinion must fully address artic le 41 (2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21 - 25). The Board opinion aims at ensuring consistency and a correct application of article 41 (2) GDPR as regards the presented draft.

### ¶3

This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to articles 41 (3) and 57 (1) (p) GDPR, all the SAs should cover these basic core requirements Adopted foreseen in the Guidelines, and the Board may recommend that the SAs amend their drafts accordingly to ensure consistency.

### ¶4

All codes covering non - public authorities and bodies are required to have accredited monitoring bodies. The GDPR expressly request SAs , t he Board and the Commission to “ encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium sized enterprises. ” (A rticle 40 (1 ) GDPR). Therefore , the Board recognises that the requirements need to work for different types of codes, applying to sectors of diverse size, addressing various interests at stake and covering processing activities with different levels of risk.

### ¶5

In some a reas , the Board will support the development of harmonised requirements by encouraging the SA to consider the examples provided for clarification purposes.

### ¶6

When this opinion remains silent on a specific requirement, it means that the Board is not asking t he MT SA to take further action.

### ¶7

This opinion does not reflect upon items submitted by the MT SA, which are outside the scope of article 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR , where required. Analysis of the MT SA’s accreditation requirements for Code of Conduct’s monitoring bodies

### ¶8

Taking into account that: a. Article 41 (2) GDPR provides a list of accreditation areas that a monitoring body need to address in order to be accredited ; b. Article 41 (4) GDPR requires that all codes (excluding those covering public authorities per Article 41 (6)) have an accredited monitoring body; and c. Article 57 (1) (p) & (q) GDPR provides that a competent supervisory auth ority must draft and publish the accreditation requirements for monitoring bodies and conduct the accreditation of a body for monitoring codes of conduct . the Board is of the opinion that: GENERAL REMARKS

### ¶9

One of the tasks of the Board is to ensure consi stency between requirements submitted by national supervisory authorities. F or the sake of clarity the Board considers that the overall structure of the d raft requirement submitted by MT SA should be improved. Therefore, with the aim to facilitate the asse ssment and ensure consistency, the Board encourages MT SA to follow the structure of the Guidelines in the draft requirements and to a djust titles of the subsection and their order to it.

### ¶10

For the sake of consistency , the Board encourages MT SA to adjust terminology used in the requirements to the terminology used in the Guidelines, this applies in particular to the following terms : ‘ c ode o wners’, “monitoring body”, ‘ a ccreditation’ . Also, clarification of what is meant by “legal position” (section 3.2), “ g ood repute ” , “suitability in decision - making” , “beneficial owners” (section 4.1.vii ) , analytical accounting systems ( section 4.3.ii), any logical separation raising barriers between Adopted the monitoring body and the code owners / members ( s ection 4.3.iii) other relevant bodies ( s ection 5) , principle of natural justice ( s ection 7 ) and substantial change ( s ection 9) would be of help . Moreover, as through out the text MT SA is using the term “undue” influence, the Board suggests to delete the word “undue” as a monitoring body must be free not only from “undue” but from any external influence.

### ¶11

The Board encourages MT SA to correct several typos in the opinion, such as non - for - profit in section 3.1 In the same section, the Board encourages MT SA, for the sake of consistency , to state that a monitoring body must be “established” (not “incorporated”) in the E uropean Union .

### ¶12

The Board is of the opinion that examples help in understanding the draft requirements. Therefore, t he Board encourages MT SA to include in the draft accreditation requirements some additional examples . In particular, the Board invites MT SA to add :  example of what is meant by “good repute” (section 3.2);  examples of additional duties that may be performed by the monitoring body (section 3.5);  exa mples of monitoring body’s service s to code members which could adversely affect its independence ( s ection 4.1) ;  examples regarding how to ensure the independence of the monitoring body in performing its tasks and exercising its powers ( s ection 4.3) ;  examp les of situations where there is a conflict of interests and where there is no such conflict ( s ection 5) ;  e xamples of how the monitoring body may demonstrate expertise ( s ection 6) ;  examples of sanctions that may be set out in the code of conduct ( s ection 8);  examples of substantial change s that may affect the capacity of the monitoring body to monitor the code ( s ection 9 ).

### ¶13

For the sake of consistency, with respect to the application of the code, the Board encourages MT SA to move section 3.4 to the “ Introd uction ” part of the requirements , since it seems to connect to all requirements and not just the legal status requirement. Moreover, the Board encourages MT SA to further expand the section on application procedure . In particular, this section could state for example, that accreditation as a monitoring body is only possible in relation to the subject matter of one or more specific codes of conduct pursuant to Article 41 (1) of the GDPR, contain minimum requirements for the application for an accreditation a nd state in which form applications for accreditation must be submitted. LEGAL STATUS

### ¶14

As regards the provision stating that i n the event that the monitoring body is established in an EEA country other than Malta, the legal framework of such EEA country shall incorporate legal provisions that are substantially equal to Maltese legislation regulating legal and natural persons, in particular with regards to their liability at law , the Board encourages MT SA to clarify the meaning of this provision, in parti cular the term “substantially equal” . Adopted

### ¶15

In the same section in the sentence, “[t] he requirements indicated herein shall apply to both external and internal proposed monitoring bodies, unless specified otherwise ” the Board encourages MT SA to clarify what it means by “unless specified otherwise”.

### ¶16

In section 3.2, the Board is of the opinion that it should be explicitly mentioned that the monitoring body should have a legal capability of being fined . In the same section , the Board encourages the MT SA to strengthen the wording when referring to evidence by stat ing that it “shall” not “may ” include evidence s as listed by MT SA.

### ¶17

In section 3.3, the Board encourages the MT SA to state that the monitoring body “have access” instead of “shall have access” to n ecessary resources.

### ¶18

With respect to section 3.5 “Other functions”, the Board encourages MT SA to move it to the “ I ndependence” section instead, as this provision relates more to the independent functioning of the monitoring body rather than its legal status.

### ¶19

In section 3.6 of the draft requirements , MT SA correctly states that t he monitoring body may farm out certain monitoring activities to other entities acting as sub - contractors. In the opinion of the Board , to a limited extent and under certain con ditions it is possible for the monitoring body to outsource certain activities. However, it should be clear that the decision - making process cannot be outsourced. Therefore, the Board encourages MT SA to clarify in the requirements whether "certain monitor ing activities" refer to the decision - making.

### ¶20

As regards section 3.6 the Board considers that the monitoring body, in addition to be the ultimate responsible for the decision - making, is also responsible for compliance when it uses subcontractors. The Board encourages MT SA to add a relevant reference . Moreover, the Board encourages MT SA to include a n explicit requirement for subcontractors to comply with their data protection obligations.

### ¶21

Additionally , the Board underlines the need to specify requirements relating to the termination of the contract, in particular so as to ensure that the subcontractors fulfil their data protection obligations related to such a termination , and encourages the MT SA to add such remark.

### ¶22

As regards the same section, the Board is of the opinion that the code of conduct itself need s to demonstrate that the operation of the code’s monitoring mec hanism is sustainable over time and covering worst - case scenarios, such as the monitoring body being unable to perform the monitori ng function. In this regard, a monitoring body should demonstrate that it can deliver the code of conduct’s monitoring mechanism over a suitable period of time. Therefore, the Board recommends the MT SA to explicitly require that monitoring bodies demonstr ate continuity of the monitoring function over time . Moreover, a clear indication that financial stability and resources need to be accompanied with the necessary procedures to ensure the functioning of the code of conduct over time should be added .

### ¶23

F or th e sake of consistency, the Board encourages MT SA to replace term “responsibilities at law” with “ultimate responsibility”, as the monitoring body has responsibility not only according to law, but the ultimate responsibility for decision - making and complia nce when it uses subcontractors. INDEPENDENCE

### ¶24

With respect to independence, the Board believe s that it should be ensured at any time, not only during the decision - making process, therefore in section 4 of MT SA’s draft requirements, the Board recommends the MT SA to add the following wording “ These rules and procedures shall therefore Adopted ensure the complete autonomy of the monitoring body from any direct or indirect influence or pressure at any time ” .

### ¶25

As regards legal and decision - making procedures and ensur ing that the decision - making personnel of the monitoring body has no convergent interests with the entities subject to monitoring , the Board is of the opinion that the monitoring body must (and not “may”) bring information concerning the activities (gainfu l or not) in which its personnel is engaged ( s ection 4.1.vi) to the code owner , thus encourages MT SA to incorporate relevant clarification in its requirements .

### ¶26

As regards section 4.1.viii, the Board underlines that the duration or expiration of the mandate of the monitoring body must be regulated in such a way to prevent overdependence on a renewal or fear of losing the appointment, to an extent that adversely affects the independence in car rying out the monitoring activities by the monitoring body. The Board encourages the MT SA to explicitly mention this matter in its requirements and to provide examples regarding duration and expiration .

### ¶27

With respect to section 4.1 and requirements an int ernal body has to demonstrate, the Board notes that not all requirements from point 65 of Guidelines were mentioned by MT SA. The Board encourages the MT SA to add missing requirements.

### ¶28

In the section 4.2 “Financial independence” a reference not only to f inancial resources but also to other resources should be mentioned, thus t he Board recommends that the MT SA require that the monitoring body should have access to adequate financial and other resources to fulfil its monitoring responsibilities, especially for the accreditation of a natural person.

### ¶29

Regarding section 4.2 on the financial independence of the monitoring body, the Board notes that the elements to be taken into account in this assessment , have not been addressed. Such elements include the size and complexity of the code members (as monitored entities), the nature and scope of their activiti es (as the subject of the code) and the risk(s) associated with the processing operation(s). Therefore , the Board encourages MT SA to add these elements to the releva nt section of the requirements.

### ¶30

The monitoring body shall have an adequate and proportionate number of staff members . These aspects could be demonstrated through the procedure to appoint the monitoring body personnel, the remuneration of the said personnel, as well as the duration of the personnel’s mandate, contract or other formal agreement with the monitoring body. Th erefore, the Board recommends t o MT SA to provide suitable requirements for organisational aspects of the independence of the monitoring body and add the above - mentioned references regarding the independence of the monitoring body in performing its tasks a nd exercising its powers, in accordance with the Guidelines.

### ¶31

Finally, with respect to internal monitoring bodies, the Board encourages the MT SA to add a requirement to prove that a specific , separated budget is allocated to such bodies by the code owner. CONFLICT OF INTEREST

### ¶32

With respect to s ection 5 of the requirements , and the provision stating that “t he monitoring body must remain free from external or internal influence ” the Board encourages the MT SA to clarify what is meant by “internal influence” or use the term “direct or indirect” influence. In this context, it should be underlined that the Guidelines in paragraph 68 only refer to “ free from external influence, whether Adopted direct or indirect, and shall neither seek nor take instructions from any person, organisation or association. ”

### ¶33

As rega rds Section 5 and the sentence “A monitoring body which is internal must be appropriately protected from any sort of sanctions or interference ( whether direct or indirect) by the code owner, other relevant bodies, or code members as a consequence of the fulfilment of its tasks ”, the Board encourages the MT SA to delete the reference to “internal” , as this requirement shall apply also to external monitoring bodie s. EXPERTISE

### ¶34

The Board observes that in the s ection 6 of the draft requirements the MT SA makes distinction between legal and technical personnel. The Board encourages the MT SA to clarify that the technical requirements of the personnel will depend on whether this is necessary for the code at stake or not.

### ¶35

Moreover, the Board recommends to clarify in this section that in order to demonstrate expertise of the staff on specific personal data processing, different interests involved and the risks of the p rocessing activities addressed by the code should also be taken into account. ESTABLISHED PROCEDURES AND STRUCTURES

### ¶36

In s ection 7 of the draft requirements , MT SA stated that “ The monitoring body shall remain responsible to ensure that any information entered into its possession whilst carrying out its monitoring functions remains confidential unless it is required to disclose such information or it is exempt by law ”. The Board encourages the MT SA to clarify what it meant by situations requiring disclo sure of information, different from exemption by law.

### ¶37

As regards s ection 7.2 “Monitoring of compliance”, the monitoring body must demonstrate that it has a procedure for the investigation, identification and management of code member infringements to the c ode and additional controls to ensure that appropriate action is taken to remedy such infringements of the code. The Board encourages the MT SA to include relevant reference in the requirements . Moreover, as there are also other ways than audit to monitor controllers’ and processors’ compliance with the code the Board encourages MT SA to make clear that review procedures can include not only audits, but also inspections , reporting and the use of self - monitoring reports or questionnaires.

### ¶38

The Board encourage s MT SA to avoid using the term “penalties” and use “corrective measures” instead. TRANSPARENT COMPLAINTS HANDLING

### ¶39

In Section 8 “Transparent Complaints Handling”, MT SA mentioned that handling complaints “ is organized in a manner that a dedicated and segregated section of the monitoring body oversees complaints, when feasible ”. The Board encourages MT SA to explain in which case s oversight by a dedicated and segregated section would not be possible. Moreove r, the Board suggests adding a requirement that where it is not possible to have such a separated section, a justification should be brought forward. Adopted

### ¶40

With respect to the same section, the Board encourages MT SA to add provisions regarding publication of th e decisions - at least regarding publication of summaries or statistical data . Moreover, the Board encourages MT SA to add procedural requirements regarding complaint - handling process, in particular the right to be heard and duty to provide relevant inform ation. COMMUNICATION WITH THE COMPETENT SUPERVISORY AUTHORITY

### ¶41

As regards s ection 9 “Communication with the competent supervisory authority” , for the sake of consistency with other opinions, the Board encourages MT SA to replace the reference to “communication channels” with “reporting mechanism”. CODE REVIEW MECHANISM

### ¶42

As regards s ection 10 “Code review mechanism”, the Board encourages MT SA to align the w ording of this section with the wording of the G uidelines, and explicitly mention that the review mechanisms should take into account any changes in the application and interpretation of the law or where there are new technological developments which have impact upon the data processing carried out by the code members or the provisions of the co de.

### ¶43

In the same section, the Board encourages MT SA to ensure that not only the monitoring body but also any other entity referred to in the code of conduct may, if appropriate , be granted an active and participative role in the code review process . REVOCATION OF A MONITORING BODY

### ¶44

In section 11 “Revocation of a monitoring body” in the sentence “ In such a case, depending on the circumstances, prior to the revocation, the competent supervisory authority may give the monitoring body the opportunity to urgently address the issues encountered and remediate to its infringements by taking the necessary corrective actions. ” T he Board encourages MT SA to replace “may” with “should”. In order to align the wording of the draft requirements with para graph 87 of the Guidelines , i n the sentence “[i] n the case of transnational codes, the competent supervisory authority should consult and seek the views of the CSAs and communicate that it intends to revoke the accreditatio n of the monitoring body to all C SAs and to the Board ” the Board encourages MT SA to replace word “CSAs” with “concerned Supervisory Authorities” . CONCLUSIONS / RECOMM ENDATIONS

### ¶45

The draft accreditation requirements of the Maltese Supervisory Authority may lead to an inconsistent application of the accreditation of monitoring bodies and the following changes need to be made:

### ¶46

Regarding ”legal status” the Board recommends that MT SA: Adopted - explicitly require that monitoring bodies must demonstrate continuity of the m onitoring function over time;

### ¶47

Regarding ”independence” the Board recommends that MT SA: - add a reference to the fact that independence is ensured at any time, not only during the decision - making process ; - require that the monitoring body should have access not only to financial but also other resources necessary to fulfil its monitoring responsibilities ; - provide suitable requirements for organisational aspects of the inde pendence of the monitoring body ;

### ¶48

Regarding ”expertise” the Board recommends that MT SA: - clarify that in order to demonstrate expertise of the staff on specific personal data processing, different interests involved and the risks of the processing activities addressed by the cod e should be taken into account. FINAL REMARKS

### ¶49

This opinion is addr essed to the Maltese supervisory authority and will be made public pursuant to Article 64 ( 5 (b) GDPR.

### ¶50

According to Article 64 (7) and (8) GDPR, the MT SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whe ther it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to fol low this opinion, in whole or in part. 51. The MT SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the Europ ean Data Protection Board The Chair (Andrea Jelinek)

---
Generated by overview.legal · https://overview.legal/posts/125977 · 2026-07-17
