Skip to content
Guidance · EDPB ·232021-on-the-draft-decision-of-the-competent EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 23/2021 on the draft decision of the competent supervisory authority of Czech Republic regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR

Summary

1 Adopted Opinion 23 / 20 21 on the draft decision of the competent supervisory authority of Czech Republic regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR Adopted on 20 July 2021 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the…

How it connects

Full text 71 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶1

Adopted Opinion 23 / 20 21 on the draft decision of the competent supervisory authority of Czech Republic regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR Adopted on 20 July 2021

¶2

Adopted

¶3

Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and Article 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the European Dat a Protection Board (hereinafter “the Board”) is to ensure the consistent application of the GDPR when a supervisory authority (hereinafter “SA”) intends to approve the requirements for accreditation of a code of conduct (hereinafter “code”) monitoring body pursuant to article 41. The aim of this opinion is therefore to contribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a code monito ring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective in its opinion by: firstly, requesting t he competent SAs to draft their requirements for accreditation of monitoring bodies based on article 41(2) GDPR and on the Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (hereinafter the “Guidelines”) , using the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly, providing the competent SAs with written guidance explaining the accreditation requirements; and, finally, requesting the competent SAs to adopt the requir ements in line with this opinion, so as to achieve an harmonised approach. (2) With reference to article 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monitoring bodies of approved codes. They shall, however, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and independent manner, thereby facilitating the proper imp lementation of codes across the Union and, as a result, contributing to the proper application of the GDPR. (3) In order for a code covering non - public authorities and bodies to be approved, a monitoring body (or bodies) must be identified as part of the c ode and accredited by the competent SA as being capable of effectively monitoring the code. The GDPR does not define the term “ accreditation ” . However, article 41 (2) of the GDPR outlines general requirements for the accreditation of the monitoring body. T here are a number of requirements , which should be met in order to satisfy the competent supervisory authority to accredit a monitoring body. Code owners are required to explain and 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”.

¶4

Adopted demonstrate how their proposed monitoring body meets the requirements set out in article 41 (2) GDPR to obtain accreditation. (4) While the requirements for accreditation of monitoring bodies are subject to the consistency mechanism, the development of the accreditation requirements foreseen in the Guidelines should take into co nsideration the code’s sector or specificities. Competent supervisory authorities have discretion with regard to the scope and specificities of each code, and should take into account their relevant legislation. The aim of the Board’s opinion is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the reputation of GDPR codes of conduct and their monitoring bodies. (5) In this respect, the Guidelines adopted by the Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines, the Board has clarified that even though the accreditation of a monitoring body applies only for a specific code, a monitoring body may be accredited for more than one code, p rovided it satisfies the requirements for accreditation for each code . (6) The opinion of the Board shall be adopted pursuant to article 64 (3) GDPR in conjunction with article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first workin g day after the Chair and the competent supervisory authority have decide d that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: SUMMARY OF THE FACTS 1 The Czech Supervisory Authority ( hereinafter “ CZ SA ” ) has submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the Board , requesting its opinion pursuant to article 64 (1)(c) , for a consistent approach at Union level. The decision on the completeness of the file was taken on 25 May 2021 . ASSESSMENT General reasoning of the Board regarding the submitted draft accreditation requirements 2 All accred itation requirements submitted to the Board for an opinion must fully address article 41 (2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21 - 25). The Board opinion aims at ensuring consistency and a correct application of article 41 (2) GDPR as regards the presented draft. 3 This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to articles 41 (3) and 57 (1) (p) GDPR, all the SAs should cover these basic core requirements foreseen in the Guidelines, and the Board may recommend that the SAs amend their drafts accordingly to ensure consistency.

¶5

Adopted 4 All codes covering non - public authorities and bodies are requir ed to have accredited monitoring bodies. The GDPR expressly request SAs , t he Board and the Commission to “ encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium sized enterprises. ” (article 40 (1) GDPR). Therefore , the Board recognises that the requirements need to work for different types of codes, applying to sectors of diverse size , addressing various interests at stake and covering processing activities with different levels of risk. 5 In some areas , the Board will support the development of harmonised requirements by encouraging the SA to consider the examples provided for clarifica tion purposes.

¶6

When this opinion remains silent on a specific requirement, it means that the Board is not asking the CZ SA to take further action.

¶7

This opinion does not reflect upon items submitted by the CZ SA, which are outside the scope of article 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR , where required. Analysis of the CZ SA’s accreditation requirements for Code of Conduct’s monitoring bodies

¶8

Taking into account that: a. Article 41 (2) GDPR provides a list of accreditation areas that a monitoring body need to address in order to be accredited ; b. Article 41 (4) GDPR requires that all codes (excluding those covering public authorities per Article 41 (6)) ha ve an accredited monitoring body; and c. Article 57 (1) (p) & (q) GDPR provides that a competent supervisory authority must draft and publish the accreditation requirements for monitoring bodies and conduct the accreditation of a body for monitoring codes of conduct . the Board is of the opinion that: GENERAL REMARKS

¶9

The Board notes that the draft accreditation requirements do not follow the structure set out in Section 12 of the Guidelines. For example, the sections on “Independence” including “Accountability ” , Review mechanism” and “legal status” are missing in the draft accreditation requirements . In this regards, for the sake of clarity the Board c onsiders that the overall structure of the document should be improved. Therefore, with the aim to facilitate the assessment and ensure consistency , the Board recommends the CZ SA to follow the structure of the Guidelines in the draft requirements and to add the missing sections .

¶10

The Board observes that section 8 (Application for accreditation) of the draft accreditation requirements indicates a list of evidence to support the application for accreditation, which however does not include all the requirements of the Guidelines. The refore, the Board re commends that CZ SA include in the draft accreditation requirements examples of evidences related to all requirements. 6 Adopted

¶11

In addition, with the aim to facilitate the clarity of the draft accreditation requirements, the Board encourages t he CZ SA to include in the respective sections of the requirements the examples of the information or documents confirming that the relevant requirements are met.

¶12

The Board observes that the last paragraph of the introductory part of the CZ SA’s draft ac creditation requirements (page 2) refers to a code of conduct as a tool for international transfers. As pa rt of the work program for 2020 - 2021 , the Board is currently working on Guidelines on Codes of Conduct as a tool for transfers. Since the Guidelines h a ve not been adopted yet, the Board considers that this r eference in the draft accreditation requirements might create confusion . Therefore, the Board recommends the CZ SA to delete this section .

¶13

The Board notes that subsection 1.5 of the draft accreditation requirements refer s to offences committed by the monitoring body or the statutory representative of the monitoring body “in connec tion with the line of business” . T aking into account the nature of the activities of the monitoring bodies, t he Board encourages the CZ SA to clarify and further elaborate on this requirement in order to ensure that the above wording refers to activities not related to monitoring functions.

¶14

For the sake of consistency and clarity, the B oard encourages the CZ SA to replace throughout the draft accreditation requirements the term “the Office for Personal Data Protection” with the term “Competent Supervisory Authority” in line with the terminology used in the Guidelines. At the same time th e Board encourages the CZ SA to introduce in the definition section of the draft requirements a definition of the term « Competent Supervisory Authority», to be understood as the Office for Personal Data Protection.

¶15

As regards section 2 of the accreditation requirements, the Board encourage s the CZ SA to clarify that the accreditation may be reviewed periodically, to provide transparent information on what happens after the expiry of the validity of the accreditation and explain how periodic reviews will wor k in practice even before 5 years period of validity.

¶16

The Board notes that in section 2. “Monitoring agreements concluded between a monitoring body and a monitored entity” of the CZ SA draft accreditation requ irements, it is stated that the relationship be tween the monitoring body and the code members is subject to regulation by private law agreement. The Board highlights that the binding nature of the rules of the code of conduct, including those providing for the monitoring mechanism, would result from th e (mere) adhesion of the code members to the code, as well as from their membership of the representative association. Whereas contractual arrangements are not, per se, excluded, the Board is of the opinion that the essential elements of the monitoring bod y’s function should be included in the code itself , because they are not negotiable . Additional clauses may be added in the form of an agreement or contract between the monitoring body and the code member, as long as they do not entail a variation in the essential elements of the monitoring body’s function, as set out in the code. Therefore, the Board recommends the CZ SA to specify that the core elements of the monitoring body’s function will be included in the code of conduct .

¶17

Along the same lines, unde r the same section, the Board also recommends deleting the relevant requirements for agreements between the monitoring body and monitored entities in section 2. of the draft accreditation requirements.

¶18

As regards subsection 1.3 of the draft accreditation r equirements the Board recommends the CZ SA to modify this requirement in order to specify that the monitoring body shall be able to demonstrate that all processing operations , which it performs for its monitoring tasks , are compliant with the GDPR. 7 Adopted

¶19

In addi tion, the Board encourages the CZ SA to revise the requirements in order to avoid misunderstandings stemming from the translation of the document into English (for example, in section 1.1 the term “a natural person engaged in business ” should be replace d by “ natural persons acting as undertaking ”; section 1.5 should refer to “integrity requirements”, instead of “impeccability requirements” ; the reference to the “importance a nd complexity of the processings ” under section 6.3 should be replaced by “nat ure a nd complexity of the processings ”; section 7.3 should read “ complaints and petitions handling procedures » , instead of “ complaints and concerns handling procedures ” (in the same way sections 15.1.2 and 15.1.4) , as the Board understands it is a transl ation mistake).

¶20

The Board is of the opinion that subsection 9.1 and 11.1 of the CZ SA’s draft accreditation requirements consist of elements which seem not to be necessary for the performance of monitoring bodies and is unclear . Therefore, with a view to avoiding inconsistencies and ambiguities the Board encourages the CZ SA to revise the se requirements accordingly. INDEPENDENCE

¶21

According to the Board, independence for a monitoring body should be understood as a series of formal rules and procedures for the appointment, terms of reference and operation of the monitoring body. In Board’s view these rules and procedures will allow the monitoring body to perform the monitoring of compliance with a code of conduct in complete autonomy, without being directly or indirectly influenced, nor subject to any form of pressure that might affect its decisions. This means that a monitoring body should not be in a position to receive any instructions regarding the exercise of its task from code members, t he profession, industry or sector to which the code applies, or from the code owner itself. Therefore, the monitoring body must demonstrate impartiality and independence in relation to four main areas: legal and decision - making procedures, financial resour ces, organisational resources and structure and accountability. However , the Board observes that the CZ SA’s accreditation requirements do not cover entirely the four areas outli ned and are not structure d in line with the Guidelines. In particular , there are no specific references to the legal and decision - making procedures, organis ational resources and accountability of the monitoring body. The Board recommends the CZ SA to further develop the requirements concerning independence of the monitoring body, in line with the four areas. Furthermore, the Board encourages the CZ SA to include practical examples that provide a clearer view on how the independence can be demonstrated in the four areas.

¶22

Furthermore, f or the sake of consistency and clarity, the Board encourages the CZ SA to replace throughout the draft accreditation requirements the terms “impartiality” with the term “independence” in line with the terminology used in the Guidelines and keep the term im partiality only in the context of organizational independence of MB.

¶23

Taking into account definition of the monitoring body specified in the definitions section, t he Board understands that the CZ SA ’s draft accreditation requirements apply to both internal and external monitoring bodies. Where the monitoring body is part of the code owner organisation, particular focus must be made on their ability to act independently. The Board is of the opinion that internal monitoring bodies cannot be set up within a co de member, but only within a code owner. Therefore, the Board recommends that this is clarified and reflected in the text of the draft accreditation requirements. Furthermore, t he Board encourages the CZ SA to tailor the examples taking into account that monitoring bodies can be external or internal monitoring bodies. 8 Adopted

¶24

T he Board encourages the CZ SA to add a requirement to prove that a specific separated budget is allocated to internal monitoring bodies by the code owner.

¶25

The Board observes that subsection 4.2 of the CZ SA’s draft accreditation requirements specifies s that the monitoring body shall have “adequate resources to cover costs of liability for its activities (e.g. financial reserves, insurances) ”. The Board is of the opinion that this obligation could prevent small or medium monitoring bodies from getting accredited. Therefore, the Board recommends the CZ SA to either delete this requirement or to soften the wording and refer to the monitoring body’s responsibilities in general. CONFLICT OF INTE REST

¶26

The Board notes that the requirements relating to the conflict of interest are partly specified in section 3 ( Management of impartiality ) and section 8.2.3 of the CZ SA’s draft accreditation requirements. The Board recommends to redraft the above men tioned provisions in order to cover all requirements relating to conflict of interest.

¶27

The Board observes that there is no reference to internal monitoring bodies, which should be appropriately protected from any sort of sanctions or interference by the co de owner, other relevant bodies, or members of the code, as a consequence of the fulfilment of its tasks (paragraph 68, page 23 of the Guidelines). The Board encourages the CZ SA to provide examples that include internal monitoring bodies.

¶28

As regard s sub section 3.3 of the draft accreditation requirements, the Board encourages the CZ SA to clearly state that in order to avoid conflict of interest, the monitoring body must, in particular, be free of external (direct or indirect) influence and, therefore, it shall not seek nor take any instructions from any person or organisation.

¶29

As stated in the Guidelines, the independence of the monitoring body should be demonstrated in relation also to the profession, industry or sector to which the code applies (paragra ph 63 of the Guidelines ). Therefore, the Board recommends that the CZ SA specif y this requirement in the draft accreditation requirements.

¶30

Moreover, the Board recommends the CZ SA to clarify that the monitoring body should have its own staff chosen by them or other body independent of the code member.

¶31

The Board encourages the CZ SA to add examples in the requirements in this respect. For example, employees of the monitoring body should be required to report possible conflicts of interest

¶32

As regards section 3.2, the Board encourage s the CZ SA to re - draft this requirement in line with the Guidelines.

¶33

As regards subsection 8.2.3 indent 3 as follows: “the commitment of the statutory representative that the monitoring body shall avoid conflict of interest when carrying out a monitoring, it means that the monitoring body shall not carry out monitoring for the code members organizationally or financially connected to it (through ownership, management, staff, resources, financing or contracts other than the monito ring agreements, etc.)”, the Board agrees that the risk of impartiality of the monitoring body may arise from a wide range of activities carried out by the monitoring body vis - à - vis code owners (especially in the situation where the monitoring body is an internal one) or other relevant bodies 9 Adopted of the sector concerned. However, the Board recognizes that providing non - supervisory services, purely administrative or organisational assistance or support activities may not involve a conflict of interes t. Therefore the Board encourages the CZ SA to further elaborate on this requirement in line wit h the G uidelines and provide examples of situations where there is a conflict of interests and where there is not. EXPERTISE

¶34

The Board agrees with the CZ SA that expertise needs to involve the subject - matter (sector) of the code, in which case the relevant requirements that must be fulfilled can be specific, based on the sector to which the code applies. In this context, the Board recommends to clarify section 6.3 that different interests involved and the risks of the processing activities addressed by the code should also be taken into account.

¶35

As regards sub section 6.3.1 , the Bo ard recommends to add also the reference to the experience with respect to the data protection law.

¶36

The Board recommends to add the term “expert” at the beginning of the sub section 6.3.3 of the draft accreditation requirements.

¶37

The Board observes that according to subsection 6.3.5 of the CZ SA’s draft accreditation requirements “Pers onnel maintain up - to date knowledge in technical and audit skills, especially in the course of changes in the legal framework, the relevant risks, the state of the art and the implementation costs of technical and organizational measures”. The Board recomm ends that the CZ SA modify and further clarify th is requirement accordingly, including by delet ing the last part of the sentence: “the implementation costs of technical and organizational measures”. ESTABLISHED PROCEDURES AND STRUCTURES

¶38

The Board obse rves that the CZ SA under section 10 (Monitoring) of the draft accreditation requirements refers to the criteria to be taken into account for the assessment of the established procedures to monitor compliance of the c ode members with the code . However, the Board notes that the complexity and the risks refer to the code concerned and the data processing activities to which the code applies, are not part of such criteria. Therefore, the Board encourages the CZ SA to amend this section so to include the comple xity and the risks refer ring to the code at stake and the data processing activities to which the code applies .

¶39

As regards subsection 10.1.2 of the draft accreditation requirements, the Board underlines that accordin g to paragraph 72 of the Guidelines, pro cedures and structures to actively and effectively monitor compliance by members of the code will be required. These could include random or unannounced audits, annual inspections, regular reporting and the use of questionnaires. The monitoring procedures can be designed in different ways as long as they take into account factors such as the risks raised by the data processing in scope of the code, complaints received or specific incidents and the number of members of the code etc. Consideration could be gi ven to the publication of audit reports as well as to the findings of periodic reporting from controllers and processors within the scope of the code. Therefore, the Board recommends to add some examples in the requirements, such as random or unannounced a udits, annual inspections, regular reporting and the use of questionnaires. 10 Adopted In addition, it should be mentioned that the monitoring procedures can be designated in different ways as long as they take into account factors such as the risks raised by the dat a processing in scope of the code, complaints received or specific incidents and the number of members of the code. TRANSPARENT COMPLAINT HANDLING

¶40

Regarding section 15 of the CZ SA’s draft accreditation requirements, the Board acknowledges that the monitoring body should have “ implemented appropriated procedure of handling complaints about infringements of the code and procedure of handling appeals a gainst the monitoring results ” . In this reg ard, the Board notes that the CZ SA’s draft accreditation requirements (subsection 15.1.4) include a timeframe for answering complaints. In this regard, the procedure shall envisage that the monitoring body has to inform the complainant with progress reports or the outcome of the complaint, within a reasonable time frame. This period could be extended when necessary, taking into account the size of the organisation under investigation, as well as the size of the in vestigation. Therefore, the Board recommends that the requirement is redrafted accordingly.

¶41

The Board notices that under section 12.1 of the CZ SA ’s draft accreditation requirements “ The monitoring body shall prepare a list of applicable remedies together with the rules for their application ”. This is not in line with Article 40 (4) GDPR, which requires that the corrective measures must be determined in the code of co nduct . Theref ore, the Board recommends the CZ SA to add a reference to the list of sanction s set out in the code of conduct in cases of infringements of the code by a controller or processor adhering to it.

¶42

Moreover, the Board recommends the CZ SA to reflect in the draft requirements paragraph 77 of the Guidelines according to which “where required, the monitoring body should be able to inform the code member, the code owner, the competent SA and all concerned SAs about the measures taken and its justification without undue delay. Moreover, in the case where a Lead Supervisory Authority (LSA) for a transnational code member is identifiable, the monitoring body should also appropriately inform the LSA as to it sa n ctions ” . COMMUNICATION WITH THE CZ SA

¶43

For the sake of consistency, the Board encourage s the CZ SA to add in the title of the section 14 of the draft requirements the term “communication” in line with the Guidelines.

¶44

The Board observes that the CZ SA in its requirements, in subsection 14. 1, refers to “ changes that might have an im p act on its ability to carry out monitoring ” . T he Board is of the opinion that only “substantial changes” should be reported to the competent SA . Therefore, the Board recommends that the CZ SA modify this requirement so to address the reporting of any substantial change s ( e.g . any change s that impact the monitoring body’s ability to perform its function) to the CZ SA in the accreditation requirements.

¶45

Section 14. of the CZ SA’s draft accreditation requirements develop s several situations in which the monitoring body is oblige d to notify the CZ SA. The Board considers that the information on the functioning of the monitoring body ’s activities ( e.g. , actions taken by the monitoring body ) should also be available to the CZ SA upon its request, and encourages the CZ SA to includ e such reference under this section . 11 Adopted

¶46

With regard to subsection 14.6 of the draft accreditation requirements, the Board notes that it refers to the obligation of the monitoring body to take action following CZ SA’s findings o n non - compliance with the Code. The Board encourage s the CZ SA to clarify and develop this requirement accordingly, in particular with regard to the conditions, circumstances and taking into account the competences of the SA and the monitoring body.

¶47

In the opinion of the Board , sub section 14.5 of the draft accreditation requirements better fit s into the section relating to the Review mechanism s . The Board encourage s the CZ SA to develop and move this requirement to the relevant section of the draft accreditation requirements.

¶48

The Bo ard observes that in the CZ SA’ s draft accreditation requirements there are no specific reference s to the requirement foreseen by paragraph 79 of the Guidelines. The Board recommends the CZ SA to ensure compliance with this requirement. REVIEW MECHANISM S

¶49

The Board obs erves that there is no reference to the role of the monitoring body within the review mechanisms of the code. According to section 80 of the Guidelines “ a code will need to set out appropriate review mechanisms to ensure that the code remains relevant and continues to contribute to the proper application of the GDPR. Review mechanisms should also be put in place to adapt to any changes in the application and interpretation of the law or where there are new technological developments whi ch may have an impact upon the data processing carried out by its members or the provisions of the code ” . Therefore, the Board recommend s the CZ SA to appropriately enrich this requirement. LEGAL STATUS

¶50

The Board observes that the obligation of Article 41(4) of the GDRP together with the section 12.8 of the Guidelines is not reflected in the draft requirements. Therefore, the Board recommends that the CZ SA follow the Guidelines in terms of structure and develop missing section on legal status in order to specify that the monitoring body and its related governance structures need to be created in a manner that the code owners can demonstrate that the monitoring body has the appropriate standing to carry out its role under Article 41(4) of the GDPR.

¶51

The Board notes that under subsection 1.6 of the draft accreditation requirements “ the monitoring body shall be established within the European Economic Area or Switzerland”. The Board is of the opinion that the monitoring body requires an establishment in the EEA. This is to ensure that they can uphold data subject rights, deal with complaints and that GDPR is enforceable and also ensures supervision by the competent supervisory authority. Therefore , the Board recommends t hat the CZ SA remove the reference to Switzerland.

¶52

T he Board underlines that the monitoring body should have financial and other resources, and the necessary procedures to ensure the monitoring body activity. Thereby, the Board encourages the CZ SA to s pecify that the monitoring body shall have adequate financial and other resources and the necessary procedures to ensure its functioning.

¶53

Moreover, the code of conduct itself will need to demonstrate that the operation of the code’s monitoring mechanism i s sustainable over time, covering worst - case scenarios, such as the monitoring body being unable to perform the monitoring function. In this regard, it would be advisable to require 12 Adopted that a monitoring body demonstrates that it can deliver the code of conduc t’s monitoring mechanism over a suitable period of time. Therefore, the Board recommends the CZ SA to explicitly require that monitoring bodies demonstrate continuity of the monitoring function over time.

¶54

The Board notes that the CZ SA’s accreditation req uirements do not refer generally to sub - contracting except for a restriction specified in subsection 3.2 The Board is of the opinion that the sub - contractors should be able to ensure the same degree of safeguards provided by the monitoring body in per forming their activities, including the same level of competence and expertise. Therefore the Board recommends that the CZ SA indicate that the obligations applicable to the monitoring body are applicable in the same way to subcontractors.

¶55

In a ddition, the Board recommends that the CZ SA clarif y whether the monitoring body may have recourse to subcontractors and under which terms and conditions.

¶56

The Board observes that under subsection 3.2 under paragraph 3 (Management of impartiality) " the monitoring body is not allowed to outsource any activities of the monitoring body, except of using individual external auditors and technical experts for evaluation activities " . In the opinion of the Board to a limited extent and unde r certain conditions it is possible for the monitoring body to outsource certain activities. Therefore, the Board encourage s the CZ SA to clari fy in the requirements whether "any activities of the monitoring body " refer to the decision - making. Moreover , th e Board recommends that the CZ SA indicate that the monitoring body remains responsible to the SA for monitoring in all cases.

¶57

In the opinion of the Board the monitoring body should be the ultimate responsible for all the decisions taken related to its mon itoring function. Therefore, the Board encourages the CZ SA to specify that, notwithstanding the sub - contractors ’ responsibility and obligations, the monitoring body is always the ultimate responsible for the decision - making and for compliance.

¶58

Along the same lines , the Board is of the opinion that, even when subcontractors are used, the monitoring body shall ensure effective monitoring of the services provided by the contracting entity. The Board recommends the CZ SA to explicitly add this obligation in t he draft accreditation requirements.

¶59

The Board underlines that a natural person acting as a monitoring body must demonstrate adequate resources that allow it to act as a monitoring body. The Board encourages the CZ SA to specify how in case of natural per sons the necessary expertise (legal and technical) is ensured and to add a clear reference to the necessity of ensuring and documenting how the monitoring role is guaranteed over a long term and how it can deliver the code's monitoring mechanism over a sui table period of tim e. CONCLUSIONS / RECOMM ENDATIONS

¶60

The draft accreditation requirements of the Czech Supervisory Authority may lead to an inconsistent application of the accreditation of monitoring bodies and the following changes need to be made:

¶61

Regarding general remarks the Board recommends that the CZ SA: 1. follow the structure of the Guidelines in the d raft accreditation requirements and add the missing sections; 2. include in the draft accreditation requirements examples of eviden ces related to all requirements; 13 Adopted 3. delete the last paragraph under the introductory part of the draft accreditation requirements (page 2); 4. specif y that the core elements of the monitoring body’s function will be include d in the code of conduct; 5. delete the r elevant requirements for agreem ents between the monitoring bod ies and monitored entities in section 2. of the d raft accreditation requirements; 6. modify subsection 1.3 in order to specify that the monitoring body shall be able to demonstrate that all proces sing operations it performs for its monitoring tasks are compliant with the GDPR.

¶62

Regarding independence the Board recommends that the CZ SA: 1. further develop the requirements concerning impartiality and independence of the monitoring body, in line with the four areas ; 2. clarify that the internal monitoring body cannot be set up within a code member, but only within a code owner; 3 . either delet e requir ement specified in section 4.2. or soften the wording and refer to the monitoring body’s responsibilit ies in genera l.

¶63

Regarding conflict of interest the Board recommends that the CZ SA: 1. redraft section 3 and subsection 8.2.3 in order to cover all requirements r elating to conflict of interest; 2. specif y that the independence of the monitoring body should be demonstrated in relation also to the profession, industry or sector to which the code applies ; 3. clarif y that the monitoring body should have its own staff chosen by them or other body independent of the co de .

¶64

Regarding expertise the Board recommends that the CZ SA: 1. clarif y section 6.3 that different interests involved and the risks of the processing activi ties addressed by the code sh ould also be taken into account; 2. add in subsection 6.3.1 reference to the experience with res pect to the data protection law; 3. add the term “ expert” at the beginning of the section 6.3.3 of the draft accreditation requirements ; 4. modify and further clarify subsection 6.3.5 , including deleting the last part of the sentence: “the implementation costs of technical and organizational measures”.

¶65

Regarding established procedures and structures the Board recommends that the CZ SA: 14 Adopted 1. add some examples in the requirements, such as random or unannounced audits, annual inspections, regular reporting and the use of questionnaires. In addition, it should be mentioned that the monitoring procedures can be designated in different ways as long as they take into account factors such as the risks raised by the data processing in scope of the code, complaints received or specific incidents and the number of members of the code.

¶66

Regarding transparent complaint handling the Board recommends that t he CZ SA: 1. modify section 15 in order to e nvisage in the procedure that the monitoring body has to inform the complainant with progress reports or the outcome of the complaint, within a reasonable time frame. This period could be extended when necessary , taking into account the size of the organisation under investigation, as well a s the size of the investigation; 2. add a reference to the list of sanctions set out in the code of conduct in cases of infringements of the code by a control ler or processor adhering to it; 3. reflect in the draft accreditation requirements paragraph 77 of the Guidelines according to which “where required, the monitoring body should be able to inform the code member, the code owner, the competent SA and all concerned SAs about the measures taken and its justification without undue delay. Moreover, in the case where a Lead Supervisory Authority (LSA) for a transnational code member is identifiable, the monitoring body should also appropriately inform the LSA as to it sections.

¶67

Regarding communication with the CZ SA the Board recommends that the CZ SA: 1. modify subsection 14.1 to address the reporting of any substantial change ( e . g. any change that impact the monitoring body’s ability to perform its function) to the CZ SA in the accreditation requirements; 2. ensure compliance with the requirement specified by paragraph 79 of the Guidelines .

¶68

Regarding review mechanisms the Board recommends that the CZ SA: 1. fill in the missing parts of this requirement .

¶69

Regard ing legal status the Board recommends that the CZ SA: 1. follow the Guidelines in terms of structure and develop missing section on legal status in order to specify that the monitoring body and its related governance structures need to be created in a manner that the code owners can demonstrate that the monitoring body has the appropriate standing to carry out its role under Article41(4) of the GDPR ; 2. remove the reference t o Switzerland in subsection 1.6; 3. explicitly require that monitoring bodies demonstrate continuity of th e monitoring function over time; 15 Adopted 4. indicate that the obligations applicable to the monitoring body are applicable in the same way to subcontractors ; 5. clarif y whether the monitoring body may have recourse to subcontractors and o n which terms and conditions; 6. indicate that the monitoring body remains responsible to the SA for monitoring in all cases; 7. explicitly add that when subcontractors are used, the monitoring body shall ensure effective monitoring of the services provided by the contracting entity. FINAL REMARKS

¶70

This opinion is addressed to the Czech supervisory authority and will be made publi c pursuant to Article 64 ( 5 (b) GDPR.

¶71

According to Article 64 (7) and (8) GDPR, the CZ SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the sam e period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 72. The CZ SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jeline k)

Similar Content