# Opinion 3/2020 on the France data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR

- Type: Guidance
- Source: EDPB
- Identifier: opinion-32020-on-the-france-data-protection-supervisory-en
- Date: 2020-01-28
- Original: https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-32020-on-the-france-data-protection-supervisory_en
- Canonical: https://overview.legal/posts/126194
- Topics: Notified Body Reporting and Notification Obligations, Scientific Panel Independence, Transparency Reporting Obligations Overview, Codes of Practice Compliance and Monitoring, Accountability, Security, Representatives, Codes of Conduct, Risk Management System, Compliance Independence

## Summary

Adopted Opinion 3 / 2020 on the F rance data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR Adopted on 28 January 2020 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of…

## Sections (55)

### ¶0

28 January 2020 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3) - (8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

### ¶1

Having regard to Article 10 and Article 22 of its Rules of Procedure of 25 May 2018, as last modified and adopted on 10 September 2019 Whereas: (1) The main role of the European Data Protection Board (hereinafter “ the Board ” ) is to ensure the consistent application of the GDPR when a supervisory authority ( hereinafter “ SA ” ) intends to approve the requirements for accreditation of a code of conduct (he reinafter “code”) monitoring body pursuant to article 41 GDPR . The aim of this opinion is therefore to contribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply dur ing the accreditation of a code monitoring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective in its opinion by: firstly, requesting competent SAs to draft their requirements for accreditation of monitoring bodies based on article 41(2) GDPR and on the Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (he reinafter the “Guidelines”) , using the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly, to provide written guidance explaining the accreditation requirements; and , finally , requesting them to adopt these requ irements in line with this opinion , so as to achieve an harmonised approach. (2) With reference to article 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monitoring bodies of approved codes. They shall, howeve r, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and independent manner, thereby facilitating the proper i mplementation of codes across the Union and, as a result, contributing to the proper application of the GDPR. (3) In order for a code covering non - public authorities and bodies to be approved, a monitoring body (or bodies) must be identified as part of the code and accredited by the competent SA as being capable of effectively monitoring the code. The GDPR does no t define the term ‘accreditation’. However, article 41 (2) of the GDPR outlines general requirements for the accreditation of the monitoring body. There are a number of requirements , which should be met in order to satisfy the competent supervisory authori ty to accredit a monitoring body. Code owners are required to explain and demonstrate how 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. 4 Adopted their proposed monitoring body meets the requirements set out in article 41 (2) to obtain accreditation. (4) While the requirements for accreditation of monitoring b odies are subject to the consistency mechanism, the development of the accreditation requirements foreseen in the Guidelines should take into consideration the code’s sector or specificities. Competent supervisory authorities have discretion with regard to the scope and specificities of each code, and should take into account their relevant legislation. The aim of the Board’s opinion is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the r eputation of GDPR codes of conduct and their monitoring bodies. (5) In this respect, the Guidelines adopted by the Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines, the Board has clarified that ev en though the accreditation of a monitoring body applies only for a specific code, a monitoring body may be accredited for more than one code, provided it satisfies the requirements for accreditation for each code . (6) The opinion of the Board shall be ad opted pursuant to article 64 (3) GDPR in conjunction with article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decide d that the file is complete. Upon decis ion of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: SUMMARY OF THE FACTS 1 The France Supervisory Authority ( hereinafter “ FR SA ” ) has submitted it s draft decision containing the accreditation requirements for a code of conduct monitoring body to the Board , requesting its opinion pursuant to article 64 (1)(c) , for a consistent approach at Union lev el. The decision on the complet eness of the file was taken on 25 th October 2019.

### ¶2

In compliance with article 10 (2) of the Board Rules of Procedure, due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eight weeks by a further six weeks . ASSESSMENT General reasoning of the Board regarding the submitted draft accreditation requirements

### ¶3

All accreditation requirements submitted to the Board for an opinion must fully address article 41(2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21 - 25). The Board opinion aims at ensuring consistency and a correct application of article 41 (2) GDPR as regards the presented draft.

### ¶4

This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to articles 41 (3) and 57 (1)(p) GDPR, all the SAs should cover these basic core requirements

### ¶5

Adopted foreseen in the Guidelines, and the Board may reco mmend that the SAs amend their drafts accordingly to ensure consistency. 5 All codes covering non - public authorities and bodies are required to have accredited monitoring bodies. The GDPR expressly request SAs , the Board and the Commission to ‘encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking into account the specific features of the various processing sectors and the specific needs of micro, sma ll and medium sized enterprises’ (article 40 (1) GDPR). Therefore , the Board recognises that the requirements need to work for different types of codes, applying to sectors of diverse size, addressing various interests at stake and covering processing activities with different levels of risk.

### ¶6

In some are as , the Board will support the development of harmonised requirements by encouraging the SA to consider the examples provided for clarification purposes.

### ¶7

When this opinion remains silent on a specific requirement, it means that the Board is not asking the FR SA to take further action.

### ¶8

The Board notes that the document submitted by FR SA contains not only the accreditation requirements, but also explanatory notes, which include general and specific explanations about the FR SA’s approach to accreditation r equirements.

### ¶9

This opinion does not reflect upon items submitted by the FR SA, which are outside the scope of article 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR , where required. Analysis of the FR accreditation requirements for Code of Conduct’s monitoring bodies

### ¶10

Taking into account that: a. Article 41 (2) GDPR provides a list of accreditation areas that a monitoring body need to address in order to be accredited ; b. Article 41 (4) GDPR requires that all codes (excluding those covering public authorities per Article 41 (6)) have an accredited monitoring body; and c. Article 57 (1) (p) & (q) GDPR provides that a competent supervisory authority must draft and pu blish the accreditation requirements fo r monitoring bodies and conduct the accreditation of a body for monitoring codes of conduct , t he Board is of the opinion that: GENERAL REMARKS

### ¶11

The Board notes that the draft accreditation requirements do not completely follow the structure set out in Section 12 of the Guidelines. In order to facilitate the assessment and standardise the requirements, the Board recommen ds the FR SA to follow the structure of the Guidelines in the draft decision .

### ¶12

The Board observes that the draft requirements refer repeatedly to the auditing activities of the monitoring body and other related terms, such as “auditors” and “audit mission” (e.g. sections 1.1, 6 Adopted 3.2, 4, 5, 8 and 9). The Board is of the opinion that the moni toring activities are not limited to audit, since they can be performed in different ways. On the same line, the staff of the monitoring body will not necessarily be auditors, due to the different kind of tasks that the monitoring body performs. Therefore, the Board recommends the FR SA to change the references to “audit” and related terms, in order to reflect the broader spectrum of activities that can be performed by the monitoring body.

### ¶13

The Board notes that, in page 3 of the draft decision, the FR SA es tablishes that the accreditation term will be initially set at three years, after which there will be a review of the accreditation that might result in the loss of the accreditation. The Board observes that the sentence might be understood as if the revie w of the accreditation requirements only takes place every three years. The Board notes that article 41 GDPR does not refer to the validity of the accreditation of a monitoring body and that there is a margin of manoeuvre for the national SAs. Moreover, th e Board notes that the accreditation requirements should be re - assessed periodically, in order to ensure compliance with the GDPR . Indeed, even if the requirements establish a t ime limit for the accreditation of the MB, this is to be considered without pre judice of the exercise , at any time, of the SA’s supervisory powers with regard to the obligations of the MB . Therefore, for the sake of clarity, the Board encourages the FR S A to clarify that the requirements may be reviewed periodically and to provide t ransparent information on what happens after the expiry of the validity of the accreditation and what the procedure will be.

### ¶14

The Board notes that, in requirement 1.4, the example given as a “supporting element” refers to a “model of service agreement used between monitor ing body and the member of the code o f conduct ” and to a “template of non - disclosure agreement”. The Board highlights that the bind ing nature of the rules of the code of conduct , including those providing for the monitoring mechanism, would result from the adhesion of the code members to the code as well as f ro m their membership of the representative association. Whereas contractual arrangements are not, per se, excluded, the Board is of the opinion that the essential element s of the monitoring body’s function should be included in the code itself. Additional clauses may be added in the form of an agreement or contract between the monitoring body and the code member , as long as they do not entail a variation in the essential e lements of the monitoring body’s function , as set out in the code. Therefore, the Board recommends the FR SA to specify that the core elements of the monitoring body’s function will be included in the code of conduct.

### ¶15

Moreover, the Board observes that, ac cording to requirement 1.4, the documents relating to the performance of the MB’s duties are destroyed “if they are no longer of use after the audit”. This could be misleading, since there might be a need to keep such documents for different reasons after they are no longer of use , such as to meet legal obligations. Therefore, the Board encourages the FR SA to amend the requirement in order to take into account other possible legal obligations or other legitimate reasons requiring to keep the documents afte r they are no longer of use.

### ¶16

The Board notes that requirement 1.5 establishes that the monitoring body “shall ensure when carrying out its missions, that complies with the security measures the code member provides ” . The Boards considers that the reference to “security measures” needs further detail, especially with regard to its relation to data protection. Moreover, the Board highlights that the security measures cannot prevent or restrict the monitoring body from ca rrying out its duties fully . Therefore, the Board encourages the FR SA to clarify the concept of “security measures” in relation to data protection, and to specify that the security measures in place cannot prevent the monitoring body from carrying out its duties. 7 Adopted INDEPENDENCE

### ¶17

With regard to the independence of the monitoring body, requirement 1.3 provides that (underline added) “the monitoring body shall demonstrate that all appropriate human, financial and material resources in proportion with the code of conduct’s scope are used”. In accordance with the Guidelines, the resources of the monitoring body should be proportionate “to the expected number and size of code members, as well as the complexity or degree of risk of the relevant data processing” (pa ragraph 73, page 24 of the Guidelines). Thus, the Board encourages the FR SA to align the text of the requirement 1.3 to the Guidelines by adding the above - mentioned reference.

### ¶18

As for the financial independence of the monitoring body (requirement 2.2), th e Board considers that the requirement would benefit from the addition of more details, in order to make clear that the means by which the monitoring body obtains financial support should not adversely affects its independence , and that it should have the financial stability and resources necessary for the effective performance of its tasks . For instance, the monitoring body would not be considered financially independent if the rules governing its financial support allow a code member, who is under investi gation by the monitoring body, to stop its financial contributions to it, in order to avoid a potential sanction from the monitoring body. The Board encourages the FR SA to define in the draft accreditation requirements what constitutes financial independe nce, and to provide some examples.

### ¶19

Moreover, the Board notes that the requirement does not differentiate between internal and external monitoring bodies. Where the monitoring body is part of the code owner organisation, particular focus must be made on th eir ability to act independently. The Board encourages the FR SA to make such a distinction and to add examples that demonstrate how independence can be achieved in both cases.

### ¶20

Finally, the Board notices that the FR SA refers to functional independence, without further specifying how it can be demonstrated. Thus, the Board encourages the FR SA to define the content of functional independence and to explain how the monitoring body can demonstrate its independence when performing its duties.

### ¶21

The Board observes that the draft accreditation requirements do not contain any reference to the organisational independence of the monitoring body. The Board notes that m onitoring bodies shoul d have the human and technical resources necessary for the effective performance of their tasks. Monitoring bodies should be composed of an adequate number of personnel so that they are able to fully carry out the monitoring functions, reflecting the secto r concerned and the risks of the processing activities addressed by the code of conduct. Personnel of the monitoring body shall be responsible and shall retain authority for their decisions regarding the monitoring activities. These organisational aspects could be demonstrated through the procedure to appoint the monitoring body personnel, the remuneration of the said personnel, as well as the duration of the personnel’s mandate, contract or other formal agreement with the monitoring body . Moreover, the dra ft requirements should clearly state that the monitoring body shall be independent in performing its tasks and exercising its powers (paragraph 67, page 22 of the Guidelines). Therefore, the Board recommends the FR SA to provide suitable requirements for t he organisational aspects of the independence of the monitoring body and add the above - mentioned references regarding the independence of the monitoring body in performing its tasks and exercising its powers , in accordance with the Guidelines

### ¶22

Furthermore , t he Board notes that t he monitoring body should be able to demonstrate “accountability” for its decisions and actions in order to be considered to be independen t. This could 8 Adopted be accomplished through such things as setting out the roles and deci sion - making framework and its reporting procedures , and by setting up policies to increase awareness among the staff about the governance structures and the procedures in place. Therefore, the Board recommends the FR SA to include requirements that suitabl y address the accountability of the monitoring body. CONFLICT OF INTEREST

### ¶23

The Board notes that the requirements regarding conflict of interest (section 3 of the draft accreditation requirements), do not include all the elements of the Guidelines. Specifically, the monitoring body shall remain free from any external influence and , therefore, it shall not seek nor take instructions from any person organisation or association. Moreover, the monitoring body should have its own staff (paragraph 68, page 23 of the Guidelines). The EDPB recommends the FR SA to include the above - mentione d elements, thus aligning the text with the Guidelines.

### ¶24

The Board observes that there is no reference to internal m onitoring bodies, which should be appropriately protected from any sort of sanctions or interference b y the code owner, other relevant bodie s, o r members of the code , as a consequence of the fulfilment of its tasks (paragraph 68, page 23 of the Guidelines). The Board encourages the FR SA to provide examples that include internal monitoring bodies.

### ¶25

Requirement 3.2 of the FR SA accreditation re quirements establishes that the monitoring body shall “ provide a procedure to anticipate and deal with any situation likely to create a conflict of interest. ” The Board considers that the measures and procedures in place aiming at preventing conflicts of i nterest should ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties. Therefore, the Board recommends that the FR SA includes in the accreditation requirements that the procedures and measures in place to avoi d conflict of interest ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties. EXPERTISE

### ¶26

The Board observes that the FR SA’s expe rtise requirements in section 4 refer only to “auditors” and the “audit team” of the monitoring body, without further clarifying the concept . As stated above, the reference to only the auditing activities of the monitoring body does not cover the broader spectrum of the activities it can carry out. Moreover, the FR SA’s expertise requ irements do not differentiate between staff at the ma nagement level and , therefore, in charge of the decision - making process, and staff at the operating level, conducting the monitoring activities. The Board recommends that the FR SA replaces the reference to “auditors” for a more suitable one, such as “ staff carrying out the monitoring activities or making decisions on behalf of the monitoring body”.

### ¶27

Turning to the level of expertise required, t he Board considers that the accreditation requiremen ts need to be transparent and to provide for monitoring bodies seeking accreditation in relation to codes that cover micro, small and medium - sized enterprises’ processing activities (article 40 (1) GDPR).

### ¶28

As required by the Guidelines, every code must ful fil the monitoring mechanism criteria (in section 6.4 of the Guidelines), by demonstrating ‘why their proposals for monitoring are appropriate and operationally feasible’ (paragraph 41, page 17 of the Guidelines). In this context, all codes with monitoring bodies will need to explain the necessary expertise level for their monitoring bodies in order to deliver the code’s monitoring activities effectively. To that end, in order to evaluate the expertise level required by the monitoring body, it should, in ge neral, be tak en into account such factors as: the size of the sector concerned, the different interests involved and the risks of the 9 Adopted processing activities addressed by the code . This would also be important if there are several monitoring bodies, as the c ode will help ensure a uniform application of the expertise requirements for all monitoring bodies covering the same code.

### ¶29

In this regard, the Board considers that requirement 4.1.4 of the FR SA’s accreditation requirements should include all the elements of the Guidelines, and in particular, the expertise in relation to the specific processing activities that are the subject matter of the code, and an in - depth understa nding of data protection issues , in relation to the specific sector of the code . The Board recommends the FR SA to add the above - mentioned references, in line with the Guidelines. Moreover, the Board notes that the example provided as a supporting element refers only to “skills”. The Board encourages the FR SA to redraft the example an d refer to “knowledge and experience”, instead of “skills”.

### ¶30

The Board notes that requirement 4.1.5 refers to a “specific training on data protection”, without providing further details. The Board is of the opinion that such a reference does not provide eno ugh clarity about the expected knowledge in data protection that the monitoring body shall demonstrate. Thus, the Board encourages the FR SA to complete the reference to the data protection training with a reference to an adequate knowledge of data protect ion law, in line with the Guidelines.

### ¶31

Furthermore, t he Board considers that the reference, in requirement 4.2.2, to the two years of professional experience for the legal personnel may curtail the freedom of the code owner to define the specific expertise requirements in the code of conduct (see paragraph 29 above) . The Board encourages the FR SA to include a more general reference that takes into account the different types of codes , such as "a relevant level of experience in the field of data pr otection in accordance with the code itself " . Moreover, the Board encourages the FR SA to take into account the additional expertise requirements that can be defined by the code , by including that reference in the text of the requirements, and to ensure t hat the expertise of each monitoring body is assessed in line with the particular code . Whereby the SA will verify if the monitoring body possess adequate competencies for the specific duties and responsibilities to undertake the effective monitoring of the code. ESTABLISHED PROCEDURES AND STRUCTURES

### ¶32

The Board notes that on requirement 5.4 (section on “requirements relating to the audit process”), the audit procedure plans refer to the assessment for eligibility of controllers and processor s to apply the code and to monitor compliance after adhesion. It also states that the procedure takes every change to the conduct of conduct into account. However, there is no reference to the review of the code’s operation. The Board highlights that the a ccreditation requirements should specifically contain the obligation of the monitoring body to have governance structures to carry out reviews of the code’s operation (paragraph 70, page 23 of the Guidelines). The Board recommends the FR SA include the ref erence to the review of the code’s operation , in line with the Guidelines.

### ¶33

Requirement 5.5 of the FR SA’s accreditation requirements establishes that the criteria to carry out the audit program include “the number of code of conduct members to be monitore d and the geographical scope”. The Board considers that a more comprehensive wording would also in clude the risk associated with the data processing and the received complaints. The Board encourages the FR SA to add the above - mentioned references.

### ¶34

The Bo ard notes that requirement 5.6 of the FR SA’s accreditation requirements state s that “ The audit procedure ensures that each mission is prepared and framed by instructions [...]”. The Board considers that the current wording may lead to confusion as to whet her the monitoring body will conduct the 10 Adopted audit in an independent manner. Moreover, the reference to the “audit mission” in the supporting elements could be misleading, since the monitoring procedure can be shaped in different ways (i.e. random or unannounced audits, annual inspections, regular reporting and the use of questionnaires ) . Therefore, the Board encourages the FR SA to redraft the requirement, to make clear that the audit will be carried out in an independent manner and in diff erent ways.

### ¶35

The Board welcomes the obligation to provide feedback to the audited code member, included in requirements 5.7 and 5.9 However, the Board considers too restrictive to include as a requirement the manner in which the feedback shall be given. Th e Board encourages the FR SA to redraft the requirement and include the manner in which the feedback shall be given as an example. Moreover, the difference between requirement 5.7 and requirement 5.9 is not clear. The Board encourages the FR SA to clarify the difference between the two requirements. TRANSPARENT COMPLAINT HANDLING

### ¶36

Regarding the complaints about code members (requirement 6.3 of the FR SA accreditation requirements), t he Board acknowledges that complaints handling process requirements should be set at a high level and reference reasonable time frames for answering complaints . In this regard, t he Board notes that the FR SA accreditation requirements state , in the supporting elements, that the reasonable timeframe to process complaints should no t exceed three months. The Board considers this time limit too restrictive and difficult to comply with in practice. Thus, t he Board recommends the FR SA to take a more flexible approach, by stating that the monitoring body will have to provide the complai nant with progress reports or the outcome within a reasonable timeframe, such as three months .

### ¶37

The Board notes that requirement 6.2 of the FR SA accreditation requirements states that the complaint handling procedure will be accessible and easily understoo d by all data subjects and the public. The Board acknowledges that this wording is based on the Guidelines . Nonetheless, the Board is of the opinion that, for the sake of clarity, the requirements should specify the meaning of “public” and whether it also includes code members. Therefore, the Board encourages the FR SA to amend requirement 6.2 accordingly.

### ¶38

The Board notes that requirement 6.4 of the FR SA accreditation requirements contains the duty of the monitoring body to keep the record of the processi ng of all complains received readily available to the SA, who may access it at any time. Whereas the Board acknowledges the intention of the FR SA to comply with the transparency principle regarding the complaints handling procedure, the Board considers th at the FR SA accreditation requirements should contain the obligation of the monitoring body to make the decisions, or general information thereof, publicly available, as provided in the Guidelines (paragraph 74, page 24). Therefore, the Board recommends the FR SA to align the text of the accreditation requirements with the Guidelines, in order to ensure that the decisions, or general information thereof, are publicly available. In addition, where the FR SA decides to ensure the transparency of the complaints handling procedure by requiring that the monitoring body publishes summary information about the decisions taken in th is context, the Board recommends that the FR SA specifies the kind of information the monitoring body is obliged to publish. For example, the monitoring body could publish, on a regular basis, statistical data with the result of the monitoring activities, such as the number of complaints received, the type of infringements and the corrective measures issue d . 11 Adopted COMMUNICATING WITH THE FR SA

### ¶39

With regard to the communication with the FR SA about measures taken by the monitoring body, r equirement 7.3 of the FR SA accreditation requirements establishes that the monitoring body will inform the FR SA “ without undue d elay and in writing , as soon as a binding measure is taken against one of code of conduct member”. The Board considers that the monitoring body shall communicate period ically with the SA, and that t he frequency of the communication would depend on several criteria, including the seriousness of the infringement and the measure s taken. However, the Board is of the opinion that the communication to the SA “without undue delay” should be limited to those cases in which the measure taken is very serious , for example, the suspension or exclusion of a code member (as specified in requirements 7.4 and 7.5 of the FR SA accreditation requirements ) . Otherwise, it could be very burdensome for the monitoring body and for the competent SA. Therefore, the Board rec ommends the FR SA to delete the reference to “without undue delay” and adopt a more flexible approach, which allows for periodic communication with the SA, based on several criteria, including the seriousness of the infringement and the measure adopted and to modify accordingly the example in the “supporting elements” cell.

### ¶40

The Board notes that section 9.1 establishes that the monitoring body will ensure that the summaries of all audits carried out are at the disposal of the FR SA. The reference to the aud its does not cover all the range of activities carried out by the monitoring body and the actions taken. Whereas the Board acknowledges that the reference to the “audit” might be due to the translation of the term , the Board recommends the FR SA to amend t he wording in order to make clear that the monitoring body will have, at the disposal of the FR SA, the summaries of all actions taken. CODE REVIEW MECHANISMS

### ¶41

The Board observes that the FR SA’s accreditation requirements do not contain all the necessary elements to ensure that the code remains relevant and continues to contribute to the proper application of the GDPR. The Board notes that it is the role of the code owner to ensure the continued relevance and compliance of the code of conduct with applicable legislation. Whilst t he monitoring body is not responsible to carry out that task, it shall contribute to any review of the code. As a result, the Board reco mmends the FR SA to provide accreditation requirements that make clear that the monitoring body will contribute to any review of the code . LEGAL STATUS

### ¶42

T he code of conduct itself will need to demonstrate that the operation of the code ’s monitoring mechanis m is sustainable over time, covering worst - case scenarios, such as the monitoring body being unable to perform the monitoring function. In this regard , it would be advisable to require that a monitoring body demonstrates that it can deliver the code of co nduct’s monitoring mechanism over a suitable period of time. T he financial, human and material resources to ensure the continuity of the monitoring body should be accompanied with the necessary procedures to ensure the functioning of the monitoring mechani sm over a suitable time. Therefore, the Board recommends FR SA to explicitly require that monitoring bodies shall demonstrate continuity of the monitoring function over time. The Bo a rd also encourages the FR SA to include in the accreditation requirements that, in order to demonstrate the continuity of the monitoring function, the monitoring body should demonstrate that it has sufficient financial and other resources, and the necessar y procedures.

### ¶43

The Board notes that the FR SA’s accreditation requirements allow for the use of subcontractors (Section 8 of the FR SA’s accreditation requirements). However, the requirements do not expressly 12 Adopted state that outsourcing does not lead to a deleg ation of responsibility for the monitoring body, and that the monitoring body remains responsible to the SA for monitoring in all cases. The Board recommends that the FR SA indicates that the monitoring body remains responsible to the SA for monitoring in all cases.

### ¶44

The Board considers that the explanatory for Section 8 is too general and do es not provide additional information that would be helpful to have a better understanding of Section 8 Moreover, it assumes that subcontractors will always be processo rs, whereas that is not the case in all situations. Therefore, the Board encourages the FR SA to add more details to the explanatory note in accordance with the different sections and to modify the wording regarding the role of the subcontractors, in order to avoid misunderstandings. CONCLUSIONS / RECOMMENDATIONS

### ¶45

The draft accreditation requirements of the France Supervisory Authority may lead to an inconsistent application of the accreditation of monitoring bodies and the following changes need to be mad e :

### ¶46

As general remarks, the Board recommends that the FR SA: 1. follows the structure set out in section 12 of the Guidelines . 2. changes the references to “audit” and related terms, in order to reflect the broader spectrum of activities that can be performed by the monitoring body . 3. with regard to the contract referred to in requirement 1.4, specifies that the core elements of the monitoring body’s function will be included in the code of conduct.

### ¶47

Regarding ‘independence’ the Board recommends that the FR SA: 1. provides suitable requirements for the organisational aspects of the independence of the monitoring body and add the above - mentioned references regarding the independence of the monitoring body in performing its tasks and exercising its powers, in accordance with the Guidelines . 2. include s a reference to the accountability of the monitoring body.

### ¶48

Regarding ‘conflict of interest’ the Board recommends that the FR SA: 1. aligns the text with the Guidelines, by including the obligation of the monitoring body to remain free from any external influence and to not seek nor take instructions from any person organisation or association, and that the monitoring body should have its own staff. 2. includes in the accreditation requirements that the procedures and measures in place to avoid conflict of interest ensure that the monitoring body shall refrain from any a ction incompatible with its tasks and duties .

### ¶49

Regarding ‘expertise’ the Board recommends that the FR SA: 1. replaces the reference to “auditors” for a more suitable one, such as “personnel carrying out the monitoring activities or making decisions on behalf of the monitoring body ” . 13 Adopted 2. aligns the text with the Guidelines, by adding, in requirement 4.1.4, the expertise in relation to the specific processing activities that are the subject matter of the code, and an in - depth understa nding of data protection issues, in relation to the specific sector of the code.

### ¶50

Regarding ‘established procedures and structures’ the Board recommends that the FR SA: 1. include s the reference to the review of the code’s operatio n, in line with the Guidelines .

### ¶51

Regarding ‘transparent compl aint handling’ the Board recommends that the FR SA: 1. take s a more flexible approach, by stating that the monitoring body will have to provide the complainant with progress reports or the outcome within a reasonable timeframe, such as three months . 2. align s t he text of the accreditation requirements with the Guidelines, in order to ensure that the decisions, or general information thereof, are publicly available . 3. specifies the kind of information the monitoring body is obliged to publish in case the FR SA decides to ensure the transparency of the complaints handling procedure by requiring that the monitoring body publishes summary information about the decisions taken in th is context.

### ¶52

Regarding ‘communicating with the FR SA’ the Board recommends t hat the FR SA: 1. delete s the reference to “without undue delay” and adopt s a more flexible approach, which allows for periodic communication with the SA, based on several criteria, including the seriousness of the infringement and the measure adopted and mod ifies accordingly the example in the “supporting elements” cell. 2. amends the requirement in order to include a summary of all the actions taken by the monitoring body, which should be at the disposal of the FR SA.

### ¶53

Regarding ‘code review mechanisms’ the Boar d recommends that the FR SA: 1. provide s accreditation requirements that make clear that the monitoring body will contribute to any review of the code.

### ¶54

Regarding ‘legal status’ the Board recommends that the FR SA: 1. explicitly require s that monitoring bodies sh all demonstrate continuity of the monitoring function over time . 2. indicates that the monitoring body remains responsible to the SA for monitoring in all cases. FINAL REMARKS 3 This opinion is addressed to the France supervisory authority and will be made public pursuant to Article 64 ( 5)(b) GDPR. 4 According to Article 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its 14 Adopted draft deci sion. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. The su pervisory authority shall communicate the final decision to the Board for inclusion in the register of decisions which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)

---
Generated by overview.legal · https://overview.legal/posts/126194 · 2026-07-17
