# Opinion 10/2021 on the draft decision of the competent supervisory authority of Hungary regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR

- Type: Guidance
- Source: EDPB
- Identifier: opinion-102021-on-the-draft-decision-of-the-competent-en
- Date: 2021-03-23
- Original: https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-102021-on-the-draft-decision-of-the-competent_en
- Canonical: https://overview.legal/posts/126045
- Topics: Compliance Independence, Scientific Panel Independence, Codes of Practice Compliance and Monitoring, Accountability, Human Resources, Codes of Conduct, Monitoring, Processors, Confidentiality Obligations and Requirements, Notified Body Independence

## Summary

Adopted Opinion 10 / 20 21 on the draft decision of the competent supervisory authority of Hungary regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR Adopted on 23 March 2021 Adopted Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural…

## Sections (62)

### ¶0

23 March 2021 Adopted Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

### ¶1

Having regard to Article 10 and Article 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the European Data Protection Board (hereinafter “the Board”) is to ensure the consistent application of the GDPR when a supervisory authority (hereinafter “SA”) intends to approve the requirements for accreditation of a code of condu ct (hereinafter “code”) monitoring body pursuant to article 41. The aim of this opinion is therefore to contribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply du ring the accreditation of a code monitoring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective i n its opinion by: firstly, requesting the competent SAs to draft their requirements for accreditation of monitoring bodies based on article 41(2) GDPR and on the Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679 ” (hereinafter the “Guidelines”) , using the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly, providing the competent SAs with written guidance explaining the accreditation requirements; and, finally, requesting the competent SAs to adopt the requirements in line with this opinion, so as to achieve an harmonised approach. (2) With reference to article 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monitoring bodies of approved codes. They shall, however, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and indepen dent manner, thereby facilitating the proper implementation of codes across the Union and, as a result, contributing to the proper application of the GDPR. (3) In order for a code covering non - public authorities and bodies to be approved, a monitoring body (or bodies) must be identified as part of the code and accredited by the competent SA as being capable of effectively monitoring the code. The GDPR does not define the term “ accreditation ” . However, article 41 (2) of the GDPR outlines general requirements for the accreditation of the monitoring body. There are a number of requirements , which should be met in order to satisfy the competent supervisory authority to accredit a monitoring body. Code owners are required to explain and 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. Adopted demonstrate how their prop osed monitoring body meets the requirements set out in article 41 (2) GDPR to obtain accreditation. (4) While the requirements for accreditation of monitoring bodies are subject to the consistency mechanism, the development of the accreditation requirement s foreseen in the Guidelines should take into consideration the code ’s sector or specificities. Competent supervisory authorities have discretion with regard to the scope and specificities of each code, and should take into account their relevant legislati on. The aim of the Board ’s opinion is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the reputation of GDPR codes of conduct and their monitoring bodies. (5) In this respect, the Guideli nes adopted by the Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines, the Board has clarified that even though the accreditation of a monitoring body applies only for a specific code, a monitoring body may be accredited for more than one code, provided it satisfies the requirements for accreditation for each code . (6) The opinion of the Board shall be adopted pursuant to article 64 (3) GDPR in conjunction with article 10 (2) of the EDPB Rules of Pr ocedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decide d that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the com plexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: SUMMARY OF THE FACTS 1 The Hungarian Supervisory Authority ( hereinafter “ HU SA ” ) has submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the Board , requesting its opinion pursuant to article 64 (1)(c) , for a consistent approach at Union level. The decision on the comple teness of the file was taken on 26 January 2021 . ASSESSMENT General reasoning of the Board regarding the submitte d draft accreditation requirements

### ¶2

All accreditation requirements submitted to the Board for an opinion must fully address article 41 (2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21 - 25). The Board opinion aims at ensuring consistency and a correct application of article 41 (2) GDPR as regards the presented draft.

### ¶3

This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to articles 41 (3) and 57 (1) (p) GDPR, all the SAs should cover these basic core requirements foreseen in the Guidelines, and the Board may recommend that the SAs amend their drafts accordingly to ensure consistency. Adopted

### ¶4

All codes covering non - public authorities and bodies are required to have accredited monitoring bodies. The GDPR expressly request SAs , t he Board and the Commission to “ encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium sized enterprises. ” (article 40 (1 ) GDPR). Therefore , the Board recognises that the requirements need to work for different types of codes, applying to sectors of diverse size, addressing various interests at stake and covering processing activities with different levels of risk.

### ¶5

In some areas , the Board will support the development of harmonised requirements by encouraging the SA to consider the examples provided for clarification purposes.

### ¶6

When this opinion remains silent on a specific requirement, it means that the Board is not asking the HU SA to take further action.

### ¶7

This opinion does not reflect upon items submitted by the HU SA , which are outside the scope of article 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation shoul d be in line with the GDPR , where required. Analysis of the HU SA’s accreditation requirements for Code of Conduct ’s monitoring bodies

### ¶8

Taking into account that: a. Article 41 (2) GDPR provides a list of accreditation areas that a monitoring body need to address in order to be accredited ; b. Article 41 (4) GDPR requires that all codes (excluding those covering public authorities per Article 41 (6)) have an accredited monitoring body; and c. Article 57 (1) (p) & (q) GDPR provides that a competent supervisory auth ority must draft and publish the accreditation requirements fo r monitoring bodies and conduct the accreditation of a body for monitoring codes of conduct . the Board is of the opinion that: GENERAL REMARKS

### ¶9

The Board encourages the HU SA to include either in the draft accreditation requirements or in the complementary guidance to the requirements, some examples of the information or documents that applicants have to submit w hen applying for accreditation.

### ¶10

All accreditation requirements submitted to the Board for an opinion must fully address article 41(2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21 - 25). The Board ’s opinion aims at ensuring consistency and a correct application of article 41 (2) GDPR as regards the presented draft. This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to articles 41 (3) and 57 (1)(p) GDPR, all the SAs should cover these basic core requirements foreseen in the Guidelines, and the Board may recommend that the SAs amend their drafts accordingly to ensure consistency. Adopted

### ¶11

The Board observes that the draft requirements refer to terms that do not seem equ iv al ent to those inc luded in the Guidelines (section 12, pages 21 - 25). Examples of such terms include the following: to the authorisation instead of accreditation, associations /organisations owning the code of conduct instead of code owners, criteria instead of requirements, subcontractors instead of external staff , competent supervisory authority instead of NAIH . The Board encourages the HU SA to ensure consistency of the relevant terms throughout the draft accreditation requirements.

### ¶12

The Board notes that under section 2 of the draft requirements, there is a reference to the suspension of the accreditation procedure in case of cooperation procedure (GDPR, Article 60 para. 3 and 5) and consistency procedure (GDPR, Article 63 to 66 ). It is not entirely clear from the draft req uirements if this refers to situations where the HU SA investigates a monitoring body that applied for accreditation and there may be a cross - border matter. The Board encourages the HU SA to clarify at this point the connection of the accreditation procedu re of a monitoring body with the cooperation and consistency procedures.

### ¶13

The Board observes, under section 2, of the HU SA’s draft requirements that “ an accreditation term will be initially set at three years at which time there would be a review to ensur e that the monitoring body still meets the accreditation criteria” . In addition, the Board notes that the administrative procedure for granting or renewing the accreditation cannot exceed 180 days, as mentioned under section 2 of the requirements. Therefor e, the Board understands that a monitoring body that wishes to renew the accreditation, should submit its application at least 180 days before the expiration of the accreditation term. In order to ensure clarity, the Board encourages the HU SA to provide t ransparent information on what happens after the expiry of the validity of the accreditation and what the procedure will be .

### ¶14

Moreover, with regards to the list indicating which monitoring body is responsible for which code members, as mentioned under sectio n 3 of the draft requirements, the Board encourages the HU SA, at the stage of application, to refer to the criteria to distribute their competences instead, since the list of code members may not be fully completed at this stage.

### ¶15

The Board observes that section 3 of HU SA’s draft accreditation requirements establish es that, when more than one monitoring body is seeking accreditation “ the applicant must describe the competence and responsibility of the monitoring body seeking accreditation in the app lication”. The Board welcomes such inclusion but notes that the essential elements of the monitoring body’s function should in any case be included in the code itself . To this purpose, the Board recommends that the HU SA clarify in its draft requirements t hat the core elements of the monitoring body’s function will to be included in the code of conduct. INDEPENDENCE

### ¶16

With regard to the accountability of the monitoring body, the Board notes that the monitoring body should be able to demonstrate “accountabili ty” for its decisions and actions in order to be considered independent. The Board considers that the accountability requirements in section 5 of the HU SA’s draft accreditation requirements do not fully cover all the elements that should be taken into acc ount. The HU SA should clarify what kind of evidence is expected from the monitoring body, in order to demonstrate accountability. This could be accomplished through such things as setting out roles and decision - making framework and its reporting procedure s, and by setting up policies to increase awareness among the staff about the governance structures and the procedures in place. Thus, the Board recommends the HU SA to strengthen the requirements for accountability, to allow for a better Adopted understanding of its content in relation to the independence of the monitoring body, and offer examples of the kind of evidence that the monitoring bodies can provide.

### ¶17

With regard to section 5, paragraph 3 of the draft accreditation requirements, the Board takes note of a ll the elements demonstrating the monitoring body’s independence with respect to its organisational structure. Among others, it is stated that the monitoring body must not be penalised for the performance of its tasks. The Board considers that it should be further clarified that the monitoring body assumes responsibility for its activities, and it cannot be penalised by neither the code owner not the code members. Therefore, the Board encourages the HU SA to redraft this part of the requirements so that the monitoring body is protected against any dismissal or sanction, direct or indirect, for the performance of its duties.

### ¶18

With regard to section 5.1 of the draft requirements, the Board observes that the reference to organisational independence of the monito ring body is not entirely complete. The Board notes that monitoring bodies should have the human and technical resources necessary for the effective performance of their tasks. Monitoring bodies should be composed of an adequate number of personnel so that they are able to fully carry out the monitoring functions, reflecting the sector concerned and the risks of the processing activities addressed by the code of conduct. Personnel of the monitoring body shall be responsible and shall retain authority for th eir decisions regarding the monitoring activities. These organisational aspects could be demonstrated through the procedure to appoint the monitoring body personnel, the remuneration of the said personnel, as well as the duration of the personnel’s mandate , contract or other formal agreement with the monitoring body . Therefore, the Board recommends the HU SA to provide suitable requirements for organisational aspects of the independence of the monitoring body and add the above - mentioned references regarding the independence of the monitoring body in performing its tasks and exercising its powers, in accordance with the Guidelines.

### ¶19

With regard to section 5.1 and the examples provided to demonstrate the organisational independence of the monitoring body, the Board encourages the HU SA to clarify under the last example provided regarding the documents providing evidence of the business, financial, contractual or other relations between the monitoring body and the association/organisation submitting the code tha t this applies also code owners and not only to organisations submitting the code.

### ¶20

With respect to section 5.1 of the draft requirements, the Board notes that the HU SA refers to the fact that the internal monitoring body reports directly to its highest management level. The Board recommends the HU SA to amend this requirement in order to reflect the requirement, as provided in the Guidelines, that the internal monitoring body has separate management from other areas of the organisation. 2

### ¶21

Regarding section 5.2 on the financial independence of the monitoring body, the Board notes that the boundary conditions , which determine the concrete requirements for financial independence and s ufficient sources , are not been addressed. Such conditions include the size and complexity of the code members (as monitored entities), the nature and scope of their activities (as the subject of the code) 2 EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, version 2.0, 4 June 2019, paragraph 65, at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf Adopted and the risk(s) associated with the processing ope ration(s). Therefore, the Board encourages the HU SA to add the conditions, as above - mentioned to the relevant section of the requirements.

### ¶22

Moreover, with regard to section 5.3 “independence of personnel”, the Board observes that the draft accreditation r equirements refer to “ appropriate human, technical and logistical resources to effectively perform its monitoring tasks” . The Board encourages HU SA to redraft the relevant part of the requirements by add ing a reference to “sufficient number of sufficientl y qualified personnel” and including a reference to technical resources necessary for the effective performance of the monitoring body’s tasks.

### ¶23

The Board takes note of the provision under section 5.3 “ resources shall enable the monitoring body to perform its monitoring functions in a fully autonomous, independent and impartial manner” . However, the Guidelines provide further details on this, stating that the resources should be proportionate to the expected number and size of code members, as well as the complexity or degree or risk of the relevant data processing. Thus, the Board encourages the HU SA to redraft this requirement in line with the Guidelines.

### ¶24

In addition, un der the same section of the draft accreditation requirements, the Board notes that “ the monitoring body must be responsible for its own personnel within the scope of its tasks and must be entitled to take decisions on its own responsibility and without instructions ”. The Board encourages the HU SA to clarify this paragraph by adding that such instructions should not be taken by the code owners and members within the scope of the code at stake, so to reflect the meaning of the Guidelines.

### ¶25

With regard to section 5.4 “independence of decision - making process”, the Board encourages the HU SA t o add under this paragraph that the monitoring body shall act independently in its choices and application of sanctions against a controller or processor adhering to the code, so to reflect the meaning of the Guidelines ( paragraphs 67, p. 22) . CONFLICT OF INTEREST

### ¶26

The Board observes that there is no reference to internal monitoring bodies, which should be appropriately protected from any sort of sanctions or interference by the code owner, other relevant bodies, or members of the code, as a consequence of the fulfilment of its tasks (paragraph 68, page 23 of the Guidelin es). The Board encourages the HU SA to provide examples that include internal monitoring bodies.

### ¶27

As regard to section 9.1 of the accreditation requirements, the Board encourages the HU SA t o clearly state that in order to avoid conflict of interest, the monitoring body must, in particular, be free of external (direct or indirect) influence and, therefore, it shall not seek nor take any instructions from any person or organisation .

### ¶28

Moreover, the Board recommends the HU SA to clarify under this section 9.1 that the monitoring body should have its own staff chosen by them or other body independent of the code and that the staff at stake should be subject to the exclusive direction of those bodi es only.

### ¶29

The Board observes that the requirements under 9.1 of the HU SA accreditation requirements only addresses the situations in which there is a conflict of interest related to the personnel of the monitoring body. The accreditation requirements shou ld also reflect other scenarios where there Adopted might be conflicts of interest of the monitoring body itself, for example, due do its activities, relationships, organisation or procedures. Thus, the Board recommends the HU SA to amend the draft accreditation r equirements to reflect that the conflict of interests shall be avoided also in relation to the monitoring body itself, and not only with regard to its staff.

### ¶30

Under section 9.1 of HU SA accreditation requirements, there is a reference to the process that th e monitoring body shall have in order to avoid and managing conflicts of interest. The Board considers that the measures and procedures in place aiming at preventing conflicts of interest should ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties. Therefore, the Board recommends that the HU SA includes in the accreditation requirements that the procedures and measures in place to avoid conflict of interest ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties.

### ¶31

The Board encourages the HU SA to add more examples to section 8 on how the monitoring body can demonstrate the mit igation of conflict of interest as well as to include relevant documents to demonstrate how the conflict of interest will be mitigated, such as internal procedure and templates to report a conflict. EXPERTISE

### ¶32

The Board observes that the in the accreditation requirements the HU SA makes distinction between legal and technical pe rsonnel. T he Board encourages the HU SA to clarify that the technical requirements of the personnel will depend on whether this is necessary for the code at stake or not. ESTABLISHED PROCEDURES AND STRUCTURES

### ¶33

The Board observes that the HU SA refers, under section 7, of the requirements to the criteria to be taken into account for the assessment of the established procedures to monitor compliance of the code members with the code and for the periodic review of the operations of the code respectively. H owever, the Board notes that the complexity and the risks refer to the code concerned and the data processing activities to which the code applies, are not part of such criteria. Therefore, the Board encourages the HU SA to amend this section so to include the complexity and the risks refer to the code at stake and the data processing activities to which the code applies .

### ¶34

The Board notes that the HU SA makes reference under section 7.2 to the way that the inspections are conducted. The Board encourages the HU SA to redraft this requirement, to make clear that the inspections will be carried out in an independent manner.

### ¶35

In addition to the above, the Board encourages the HU SA to provide equal information in the requirements regarding all the different contro l methods it deploys (i.e. self - assessment, audits, inspections, questionnaires and regular reporting).

### ¶36

The Board observes, that section 7.2, para 5 of the HU SA ’s draft accreditation requirements, refers to verification requirement without specifying whe ther it is verification of applications to become code member or verification of compliance of the code members. Therefore the Board encourages the HU SA to redraft the text in order to follow the structure of this section. Adopted TRANSPARENT COMPLAINT HANDLIN G

### ¶37

The Board takes note of the reference under 8.1 , third para “ The monitoring body shall demonstrate it has implemented an adequate framework of procedures and structures to receive, investigate and decide on complaints. Such procedures shall be transparen t, easily understood and easily accessible to the public as well as adequately resourced so as to ensure effective handling of complaints. ” The Board encourages the HU SA to further clarify this requirement so to make sure that it reflects the obligation t o make publicly available decisions or information thereof . COMMUNICATION WITH THE HU SA

### ¶38

Under section 7.5 of the requirements the HU SA refer to the information that will provide to the HU SA. The Board is of the opinion that the requirements need to address such areas as: actions taken in cases of infringement of the code and the reasons for taking them (article 41 (4) GDPR), periodic reports, reviews or audit findings. The code itself will also outline the communication requirements with the CSA, inc luding appropriate ad hoc and regular reports. In the case of serious infringements of the code by code members, which result in serious actions such as suspension or exclusion from the code, the competent SA should be informed without delay . Therefore, th e Board encourages the SA to amend this requirement accordingly.

### ¶39

The Board observes that the HU SA in its requirements refer to “ changes materially affect the monitoring activities of the monitoring bodies ”. The Board is of the opinion that the appropriat e word in this context is “substantial change” instead of “material”. The Board is of the opinion that “substantial change” covers any change that impacts the monitoring body’s ability to perform its function independently and effectively. The Board recomm ends that the HU SA address the reporting of any substantial change to the HU SA in the accreditation requirements.

### ¶40

The Board encourages the HU SA to consider the following practical examples of requirements:  A monitoring body shall set out report mechani sms.  A monitoring body shall inform the competent SA, without undue delay, of any substantial change to the monitoring body (particularly related to structure or organisation), which is likely to call into question its independence, expertise and the absen ce of any conflict of interests or to adversely affect its full operation.

### ¶41

The Board notices that sections 7.5 “Providing regular and event - relevant information about monitoring body activity to the supervisory authority” and section 8.3 “Communication wi th the supervisory authority regarding complaints” overlap. Therefore, the Board encourages that the HU SA merges these two section into one. REVIEW MECHANISMS

### ¶42

In the HU SA’s draft accreditation requirements, section 7.4 refers to confidentiality. In particular, under this section it is stated that “ the monitoring body is entitled to disclose confidential information to the NAIH in order to help carrying out its supervisory authorities” . This last sentence seems to limit the duty of the monitoring body to cooperate with the HU SA. Therefore, the Board recommends that that this sentence is modified to reflect that the monitoring body is compelled to disclose all information to the HU SA. Adopted

### ¶43

The Board notices that under section 7.3 of the requirements, the HU SA makes reference to the review of the code. The Board recommends that the HU SA amend this requirement so to include that the new technological developments which may have an impact upon data processing carried out or the provisions of the code should be also taken into account for the review of the code. The Board notes that under section 7.3 of the requirements there is no reference to the fact that the updating of the code of conduct is the responsibility of the code owner. The Board is of the opin ion that, in order to avoid confusion, a reference to the code owner should be made. Therefore, the Board encourages the HU SA to amend this section accordingly so to include such reference to the code owner. LEGAL STATUS

### ¶44

The Board observes that under se ction 4 regarding the legal status, the obligation of Article 41(4) of the GDRP together with the section 12.8 of the G uidelines is not reflected in the draft requirements. Therefore, the Board recommends that this section is modified in order to include t hat the monitoring body and its related governance structures need to be created in a manner that the code owners can demonstrate that the monitoring body has the appropriate standing to carry out its role under Article 41(4) of the GDPR.

### ¶45

The Board notes that under section 4 of the draft accreditation requirements, “the monitoring body must be a legal entity with a registered office, of if a natural person, have their headquarters or domicile, to exercise the professional activity as monito ring body in the European Economic Area”. The Board encourages the HU SA to clarify under this section, that not only the natural persons, but also legal entities must have their headquarters in the European Economic Area to exercise a professional activit y as monitoring bodies.

### ¶46

The Board observes that the HU SA’s draft accreditation requirements mention under section 4 that natural persons can be accredited as a monitoring body. The Board encourages the HU SA to provide additional requirements in order to demonstrate the availability of adequate resources for the specific duties and responsibilities, as we all as the full operation of the monitoring mechanism over time. Examples and scenarios to consider include: in the case of resignation or temporary ina bility of the person concerned.

### ¶47

The Board recommends that the HU SA require that the monitoring body should have access to adequate financial and other resource requirements to fulfil its monitoring responsibilities, especially for the accreditation of a natural person.

### ¶48

In addition, the Board considers that the existence of sufficient financial and other resources should be accompanied with the necessary procedures to ensure the functioning of the code over time. Thereby, the Board encourages that the HU SA amend the relevant section of the draft accreditation requirements adding the above mentioned reference to “procedures” in addition to the “financial and other resources”.

### ¶49

Moreover, the code of conduct itself will need to demonstrate that the operation of the code’s monitoring mechanism is sustainable over time, covering worst - case scenarios, such as the monitoring body being unable to perform the monitoring function. In this regard, it would be advisable to require that the monitoring body demonstrates that it can deliver the code of conduct’s monitoring Adopted mechanism over a suitable period of time. Therefore, the Board recommends HU SA to explicitly require that monitoring bodies demonstrate continuity of the monitoring function over time.

### ¶50

The Board observ es that under section 4 “ if the monitoring body is a natural person then it must prove that it has the necessary human resources and, in the event of unforeseen event leading to a sudden, temporary or permanent loss of the monitoring body, the monitoring a ctivities may continue uninterrupted ” . The Board encourages the HU SA to clarify that this requirement does not apply only to natural persons, but that it becomes even more essential when the monitoring body is natural person.

### ¶51

In addition, for purposes of clear and consistent structure of the draft requirements, the Board encourages the HU SA to move the third paragraph of section 4 “ If the monitoring body is a natural person than it must prove that it has the necessary human resources and, in the event of an unforeseen event leading to a sudden, temporary or permanent loss of the monitoring body, the monitoring activities may continue uninterrupted to section 5.3 “independence of personnel” of the draft accreditation requirements.

### ¶52

The Board notes that the HU SA’s requirements allow for the use of subcontractors. However the Board is of the opinion that the monitoring body should be the ultimate responsible for all decisions taken regarding its monitoring function. Therefore, the Board encourages the HU SA to specify that, notwithstanding the subcontractors’ responsibility and obligations, the monitoring body is always the ultimate responsible for the decision - making and for compliance . CONCLUSIONS / RECOMM ENDATIONS

### ¶53

The draft accreditation requirements of the HU Supervisory Authority may lead to an inconsistent application of the accreditation of monitoring bodies and the following changes need to be made:

### ¶54

Regarding general remarks the Board recommends that the HU SA: 1. amend their draft requirements to make sure that the latter are consistent with the eight areas outlined by the Board in the accreditation section of the Guidelines 1/2019 on codes of conduct and monitoring bodies under the GDPR .

### ¶55

Regarding independence the Board recommends that the HU SA: 1. strengthen the requirements for accountability under section 5 of the draft requirements , to allow for a better understanding of its content in relation to independence of the monitoring body, and offer examples of the kind of evidence that the monitoring body can provide. 2. provide, under section 5.1 of the draft requirements, suitable requirements for organisational aspects of the independence of the monitoring body and add references, as mentioned un der para . 18 of this opinion, regarding the independence of the monitoring body in performing its tasks and exercising its powers, in accordance with the Guidelines. 3. amend this requirement so to clarify that the internal monitoring body has separate man agement of other areas of the organisation. Adopted 4. clarify in its draft requirements that the core elements of the monitoring body need to be included in the code itself .

### ¶56

Regarding conflict of interest the Board recommends that the HU SA : 1. clarify under section 9.1 that the monitoring body should have its own staff chosen by them or other body independent of the code and that the staff at stake should be subject to the exclusive direction of those bodies. 2. amend its draft accreditation requireme nts to reflect that the conflict of interests shall be avoided also in relation to the monitoring body itself, and not only with regard to its staff. 3. include in the accreditation requirements that the procedures and measures in place to avoid conflict o f interest ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties.

### ¶57

Regarding communication with the HU SA the Board recommends that the HU SA: 1. address the reporting of any substantial change to the HU SA in the accreditation requirements.

### ¶58

Regarding review mechanisms the Board recommends that the HU SA: 1. modify the sentence “ the monitoring body is entitled to disclose confidential information to the NA IH in order to help carrying out its supervisory authorities” so to reflect that the monitoring body is compelled to disclose all information to the HU SA. 2. amend the requirement provide under section 7.3 to include that the new technological development s which may have an impact upon data processing carried out or the provisions of the code should be also taken into account for the review of the code.

### ¶59

Regarding legal status the Board recommends that the HU SA: 1. modify section 4 in order to include tha t the monitoring body and its related governance structures need to be created in a manner that the code owners can demonstrate that the monitoring body has the appropriate standing to carry out its role under Article 41(4) of the GDPR. 2. include in the draft requirements the fact that the monitoring body should have access to adequate financial and other resource requirements to fulfil its monitoring body responsibilities, especially for the accreditation of a natural person. 3. explicitly require that monitoring bodies demonstrate continuity of the monitoring function over time. FINAL REMARKS

### ¶60

This opinion is addressed to the Hungarian Supervisory A uthority and will be made public pursuant to Article 64 ( 5 (b) GDPR.

### ¶61

According to Article 64 (7) and (8) GDPR, the HU SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to Adopted follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 62. The HU SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)

---
Generated by overview.legal · https://overview.legal/posts/126045 · 2026-07-17
