Opinion 9/2019 on the Austrian data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR
adopted Opinion 9 /201 9 on the Austrian d ata protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to a rticle 41 GDPR Adopted on 9 Jul y 201 9 2 adopted Contents 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................ ................................…
How it connects
Related across sources
Full text 76 sections
41 GDPR Adopted on 9 Jul y 201 9 2 adopted Contents
Summary of the Facts ................................ ................................ ................................ ..................... 4
Assessment ................................ ................................ ................................ ................................ ..... 5
General reasoning of the Board regarding the submitted draft decision ............................... 5
Analysis of the draft decision (composed of the explanatory notes and the ordinance) ....... 6
INDEPENDENCE ................................ ................................ ................................ ................ 6
CONFLICT OF INTEREST ................................ ................................ ................................ .... 8
EXPERTISE ................................ ................................ ................................ ........................ 9
ESTABLISHED PROCEDURES AND STRUCTURES ................................ ............................. 10
TRANSPARENT COMPLAINTS HANDLING ................................ ................................ ...... 10
COMMUNICATION WITH THE COMPETENT SUPERVISORY AUTHORITY ....................... 11
REVIEW MECHANISMS ................................ ................................ ................................ ... 12
LEGA L STATUS ................................ ................................ ................................ ................ 12
Conclusions / Recommendations ................................ ................................ ................................ . 13
Final Remarks ................................ ................................ ................................ ................................ 15 3 adopted The European Data Protection Board Having rega rd to article 63, a rticle 64 (1 )( c ), (3) - (8) and a rticle 4 1 (3 ) of the Regulation 2016/679/EU of the European Parliament and of the Coun cil of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe aling Directive 95/46/EC (here after “GDPR”), Having regard to the EEA Agreement and in particular to Ann ex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, Having regard to a rticle 10 and 22 of its Rules of Procedure of 25 May 2018, as amended on 23 November 2018 Whereas: (1) The main role of the European Data Protection Board (here in after the Board ) is to ensure the consistent application o f the GDPR when a supervisory authority (SA) intends to approve the requirements for accreditation of a code of conduct (hereinafter “code”) monito ring body pursuant to a rticle 41 . The aim of this opinion is therefore to c ontribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a co de monitoring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of requirements for accreditation , it does promote consistency. The Board seeks to achieve this objective in its o pinion by : firstly , requesting competent supervisory authoritie s to draft their requirements for accreditation of monitoring bodies based on the Board’s “Guidelines 1/201 9 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (hereinafter the “Guideli nes ” ) , us ing the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly , to provide written guidance explaining the accreditation requirements ; and finally by requesting them to adopt these requirements in line with this opinion so as to achieve an harmonised approach . (2) With reference to a rticle 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monitoring bodies of approved codes . They shall, however, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and i ndependent manner, thereby facilitating the proper implementation of codes across the Union and, as a result, contribut ing to the proper application of the GDPR . (3) In order for a code covering non - public authorities and bodies to be approved, a monitorin g body (or bodies), must be identified as part of the code and accredited by the competent supervisory authority as being capable of effectively monitoring the code. The GDPR does not define the term ‘accreditation’. However, a rticle 41 (2) of the GDPR out lines general requirements for the accreditation of the monitoring body. There are a number of requirements which should be met in 4 adopted order to satisfy the competent supervisory authority to accredit a monitoring body. Code owners are required to explain and d emonstrate how their proposed monitoring body mee ts the requirements set out in a rticle 41 (2) to obtain accreditation. (4 ) While the requirements for accreditation of monitoring bodies are subject to the consistency mechanism, the development of the accr editation requirem ents foreseen in the G uidelines should take into consideration the c ode’s sector or specificities . C ompetent supervisory authorities have discretion with regard to the scope and specificities of each c o de , and should take into account their relevant legislation. The aim of the Board’s opinio n is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the reputation of GDPR codes of conduct and the ir monitoring bodies . (5 ) In this respect, the Guidelines adopted by t he Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines , the Board has clarified that even though the accreditation of a monitorin g body applies only for a specific code, a monitoring body may be accredited for more than one code, provided it satisfies the requirements for accreditation for each code . (6 ) The opinion of the Board shall be adopted pursuant to a rticle 6 4 (3) GDPR in conjunction with a rticle 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decide d that the file is complete . Upon decision of the Chair , this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE OPINION: 1 SUMMARY OF THE FACTS 1 The Austrian S upervisory A uthority ( AT SA) has submitted its draft de cision containing the accreditation requirements for a code of conduct monitoring body to the Board via the IMI system requesting an opin ion from the Board pursuant to a rticle 64 (1)( c) for a consistent approach at Union level . The decision on the completeness of the file was taken on 9 th of April 2019 . 2 The draft accreditation requirements of code monitoring bodies were provided by the AT SA in an English version although they were originally drafted in German. The Board hereby gives its opinion o n the English version of the draft accreditation requirements recommending the A T SA to amend and align both versions in accordance with the present opinion . 5 adopted 3 In compliance with a rticle 10 (2) of the Board Rules of Procedure 1 , due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eigh t weeks by a further six weeks, until the 16th of July 2019 . 2 ASSESSMENT 2.1 General reasoning of the B oard regarding the submitted draft decision 4 All accreditation requirements submitted to the Board for an opinion must fully address a rticle 41(2) GDPR criteria and be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21 - 25) . The Board opinion aims at ensuring consistenc y and a correct application of a rticle 41 (2) GDPR as regards the presented draft .
This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to a rticles 41 (3) and 57 (1 )( p) GDPR , all the SAs will cover these basic cor e requirements foreseen in the G uidelines, and the Board will recommend that the SAs amend their drafts accordingly to ensure consistency.
All c ode s covering non - public authorities and bodies are required to have accredi ted monitoring bodies . The GDPR expressly request supervisory authorities, the Board and the Commission to ‘ encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features o f the various processing sectors and t he specific needs of micro, small a nd medium sized enterprises.’ (a rticle 40 (1) GDPR). Therefore the Board recognis es that the requirements need to work for different types of codes , applying to sectors of diverse si ze, addressing various interests at stake and covering pro cessing activities with different level s of risk .
In some areas the Board will sup port the development of harmonis ed requirements by encouraging the SA to consider the examples provided for illustrative purposes only. Therefore the encouragements and the examples provided in the present opinion do not have to be f ollowed. However, the aim of t hese examples is to help th e AT SA to further develop consistent accreditation requirements in line with the present opinion.
When this opinion remains silent on a specific requirement, it means that the Board is not asking the AT SA to take further action.
The Board notes that the document submitted by A T SA is a draft decision on the accreditation requirements for monitoring bodies consisting of two parts : 1) “Explanatory notes” which contain general and specific explanations. 1 Version 2, as last modified and adopted on 23 November 2018 6 adopted 2 The “Ordinance” which sets out the AT accreditati on requirements.
This opinion does not reflect upon items submitted by the AT SA , which are outside the scope of a rticle 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR where required. 2.2 Analysis of the draft decision (composed of the explanatory notes and the ordinance)
Taking into account that : a. Article 57 (1) (p) & (q ) GDPR provides that a competent supervisory authority must draft and publish the accreditation requirements for monitoring bodies and conduct the accreditation ; b. Article 41 (4) GDPR requires that all codes (excluding those covering public authorities per Article 41 (6)) have an accredited monitoring body; and c. Artic le 41 (2 ) GDPR provi des a list of accreditation areas that a monitoring body need to address in order to be accredited , the Board is of the opinion that: 2.2.1 INDEPENDENCE
With regard to section three of the AT SA’s ordinance, the Board highlights that the obligation to provid e evidence as to the i ndependence of a monitoring body falls upon the body a pplying for accreditation (see a rticle 41 (2)(a) GDPR). The Board recommends that this is clarified in the AT SA ’s requirements .
The Board observes that the AT SA’s explanatory notes , ‘general notes’ section concerning the requirements, refer to independence “ in relation to the subject matter of the code ”. The Guidelines provide further information about what this means, i.e. the indepe ndence of the body concerned should be demonstrated in relation to the code members, the profession, industry or sector to which the code applies and the code owner itself. Therefore, the Board recommends that the AT SA re draft this reference in line with the Guidelines .
The Board is of the opinion that independence for a monitoring body should be understood as a series of formal rules and procedures for the appointment, terms of reference and operation of the monitoring body. These rules and procedures wil l allow the monitoring body to perform the monitoring of compliance with a code of conduct in complete autonomy, without being directly or indirectly influenced, nor subject to any form of pressure that might affect its decisions. This means that a monitor ing body should not be in a position to receive any instructions regarding the exercise of its task from code members, the profession, industry or sect or to which the code applies, or from the code owner itself . 7 adopted
Where the monitoring body is part of the cod e owner organisation, particular focus must be made on their ability to act independently. Examples of internal monitoring bodies could include an ad hoc internal committee or a separate department within the organisation of the code owner. Rules and proce dures have to be established to ensure that such a “ committee ” acts autonomously and without any pressure from the code owner or the code members .
The Board notes that the AT SA ’s requirements make no reference to the two main models of monitoring , as identified in the Guidelines . The Board therefore recommends that the AT SA amend the requirements to reflect this flexibility. One option would be to require that an internal monitor ing body provides evidence of additional measures , to ensure that the relationship with the legal entity (of which the monitoring body is part of), do e s not compromise the independence of its monitoring activities .
The Board observes that a specific provis ion of the draft accreditation requirements submitted by AT SA is devoted to the demonstration of independence by the monitoring body (section 3.2 of the AT ordinance). The said provision asks for information on persons authorised to make decisions, showin g that there are no personal ties with the entities to be monitored. In addition, the explanatory note concerning the i ndependence requirements clarifies that the monitoring body shall not be legally, economically, personally or professionally subordinate to or in close relationship with the monitored entities, which could bring into question its judgement or its independence and integrity in its function as a monitoring body .
The Board is of the opinion that the accreditation requirements should qualify wh at constitutes independence and clearly set out the areas where the monitoring body should demonstrate independence . In this regard, the Board recommends that the AT SA further strengthens the independence section in line with the four areas set out below . 1 LEGAL AND DECISION MAKING PROCEDURES
The legal form and arrangement of the monitoring body must shield the monitoring body from undue influence from members of the code or code owner which might affect the monitoring of compliance of a code. For instance, the duration, or expiration of the mandate of the monitoring body should be fixed in such a way as to prevent overdependence on a renewal or fear of losing the appointment, to an extent that adversely affects the independence in carrying out the monitorin g activities by the monitoring body .
The decision making procedure set out by a monitoring body must also preserve its autonomy and independence. For instance, a monitoring body needs to be able to act independently in its choice and application of sanctio ns against a controller or processor adhering to the code . 2 FINANCIAL 21. Monitoring bodies should be provided with the financial stability and resources necessary for the effective performance of their tasks as well as be able to manage their budget independently. The means by which the monitoring body obtains financial support (for example, a fee paid by the 8 adopted members of the code of conduct) should not adversely affect the independence of its task of monitoring compliance of a code .
For instance, the m onitoring body would not be considered to be financially independent if the rules governing its financial support allow a code member , who is under investigation by the monitoring body , to stop its financial contributions to it , in order to avoid a potenti al sanction from the monitoring body . 3 ORGANISATIONAL 23. Monitoring bodies should have the human and technical resources necessary for the effective performance of their tasks. Monitoring bodies should be composed of an adequate number of personnel so that they are able to fully carry out the monitoring functions, reflecting the sector concerned and the risks of the processing activities addressed by the code of conduct. Personnel of the monitoring body shall be responsible and shall retain authority for the ir decisions regarding the monitoring activities. These organisational aspects could be demonstrated through the procedure to appoint the monitoring body personnel, the remuneration of the said personnel, as well as the duration of the personnel’s mandate, contract or other formal agreement with the monitoring body . 4 ACCOUNTABILITY
The monitoring body should be able to demonstrate “accountability” for its decisions and actions in order to be considered to be independent. This could be accomplished through s uch things as setting out the roles and decision making framework and its reporting procedures . 2.2.2 CONFLICT OF INTEREST
The Board observes that the AT SA ’s accreditation requirements do not address conflicts of interest. The Board recommends that the AT SA a dd requirements covering procedures to avoid conflicts of interest. Such procedures are likely to involve a risk based approach and will vary depending on the code. Risks may arise from the activities or the relationships of the monitoring body and of its personnel .
An example of a conflict of interest would be monitoring body personnel investigat ing complaints against the organisation that they work for. In order to avoid any conflict of interest, the personnel would declare their interest and the work wou ld be reallocated .
The Board encourages the AT SA to consider the following practical examples of accreditation requirements : • A monitoring body shall identify situations that are likely to create a conflict of interest (due to its personnel, its organisation, its procedures, etc.) and set up internal rules in order to avoid conflicts of interest. 9 adopted • A monitoring body shall provide a procedure to deal with the effects of situations identified as being likely to create a conflict of interest. • Monitoring body personnel must commit in writing to complying with this requirement and to report any situation likely to create a conflict of in terest and follow the procedures to avoid such conflicts. • A monitoring body sh all identify and eliminate risks to its impartiality on an ongoing basis. Evidence will include its risk management approach and associated procedures . 2.2.3 EXPERTISE
The Board notes that the AT SA’s expertise requirements include: an excellent knowledge of data protection and either a relevant degree (or equivalent qualification), or at least five years of relevant sector experience , which may include a maximum of two years of profes sional activity in an area other than the subject matter of the code (sections 3.4 and 3.5 of the AT ordinance ).
The Board acknowledges that the guidelines set a high bar requiring monitoring bodies to have the following expertise: an in - depth understandin g of data protection issues, knowledge of the specific processing activities in relation to the code and appropriate operational experience and training for monitoring, such as auditing .
The Board considers that the accreditation requ irements need to be tr ansparent. T hey also need to provide for monitoring bodies seeking accreditation in relation to codes that cover micro, small and medium - sized enter prises’ processing activities (a rticle 40 (1) GDPR) .
As required by the Guidelines, every code must fulfil the monitoring mechanism criteria (in section 6.4 of the Guidelines), by demonstrating ‘why their proposals for monitoring are appropriate and operationally feasible’ (paragraph 41, page 17 of the Guide lines). In this context, all codes with monitoring bodies will need to explain the necessary expertise level for their monitoring bodies in order to deliver the code’s monitoring activities effectively. This could include taking into account such factors a s: the size of the sector concerned, the different interests involved and the risks of the processing activities addressed by the code. This is without prejudice to data protection requirements. This would also be important if there are several monitoring bodies, as the code will help ensure a uniform application of the expertise requirements for all monitoring bodies covering the same code .
The Board encourages the AT SA to take into account the additional expertise requirements that can be defined by the code and ensure that the expertise of each monitoring body is assessed in line with the particular code. Whereby the SA will verify if the monitoring body possess adequate competencies for the specific duties and responsibilities to undertake the effective monitoring of the code. 10 adopted 2.2.4 ESTABLISHED PROCEDURES AND STRUCTURES
The Board observes that section 4 of the ordinance is too general. The Board is of the opinion that the procedures to monitor compliance with codes of conduct have to be specific enough to ensure a consistent application of the obligations of code monitoring bodies .
The procedures need to address the complete monitoring process, from the preparation of the evaluation to the conclusion of the audit and additional controls to ensure that appropriate actions are taken to remedy infringements and to prevent repeated offences .
The monitoring bo dy should provide evidence of upfront, ad hoc and regular procedures to monitor the compliance of members within a clear time frame, and check eligibility of members prior to joining the code .
Moreover, monitoring body personnel shall keep confidential all information obtained or created during the performance of the monitoring activities, except as required by law .
The Board encourages the AT SA to consider the following examples of procedures : • A procedure that provides for audit plans, to be carried out over a defined period of time (initial control and recurring controls), based on criteria such as the number of adherents to the code of conduct, the geographical scope, the received complaints, e tc. • A n audit procedure that defines the audit methodology to be applied, i.e. a set of criteria to be assessed (common evaluation grid), the type of audit (self - assessment, off - site or on - site audits, ISO auditing standards), the documentation of the find ings, etc. • A procedure for the investigation, identification and management of infringement to the code that applies, when required, penalties as defined by the code of conduct (a penalty matrix)
The Board recommends that optional requirements regarding mo nitoring procedures are provided in the AT explanatory notes and that mandatory requirements ar e clarified in the AT ordinance.
The Board recommends that the objectives for each required procedure are explicitly defined in the accreditation requirements .
T he Board recommends that the reference to “relevant certificates” - that occurs more than once in the AT draft accreditation requirements - is clarified . 2.2.5 TRANSPARENT COMPLAINTS HANDLING
With regard to the complaints handling procedure, the Board observes that the AT SA accreditation requirements (section 5.3.4 of the AT SA’s ordinance) include the duration of the proceedings, stating that “it should in any event not exceed two months from the date of receipt of the complaint” .
The Board recommends that com plaints handling process requirements should be set at a high level and reference reasonable time frames for answering complaints. An example of a reasonable time 11 adopted period could be that th e complai nant should be notified within three months on the progress or outcom e of the complaint (similar to a rt icle 78 ( 2 ) GDPR). The process should be: documented, independent, effective and transparent, in order to ensure trust in the code. A ccessible complaints procedures should be covered in the code itself . The complaints handling process should be accessible by data subjects and the public.
The Board encourages the AT SA to consider the following practical examples of requirements : • A m onitoring body shall provide evidence of how it will manage complaints procedures and explain time frames. • A monitoring body shall outline a procedure to receive, manage and process complaints. This procedure must be independent and transparent. • The complaints procedure shall be publicly available and easily acce ssible. • The procedure shall ensure that all complaints are processed within a reasonable period of time. • A monitoring body shall maintain a record of all complaints it receives and the actions taken, which the SA can access at any time . 2.2.6 COMMUNICATION WITH THE COMPETENT SUPERVISORY AUTHORITY
The Board notes that the AT SA ’s ordinance, section 6.4 provides for annual reporting by the monitoring body to the Competent Supervisory Authority ( hereinafter the CSA). The Board recommends that AT SA amend section 6.4 of the ordinance, in order to provide for more regular communicatio n means to the CSA during the year .
The Board is of the opinion that the requirements need to address such areas as: actions taken in cases of infringement of the code and the reason s for taking them (a rticle 41 (4) GDPR), periodic reports, reviews or audi t findings. The code itself will also outline the communication requirements with the CSA, including appropriate ad hoc and regular reports. In the case of serious infringements of the code by code members, which result in serious actions such as suspensio n or exclusion from the code, the competent SA should be informed without delay .
The Board considers ‘substantial change’ to cover any change that impacts on the monitoring body’s ability to perform its function independently and effectively. A substantial change would trigger a re - accreditation or new accreditation process. The Board recommends that the AT SA address the reporting of any substantial change to the CSA in the accreditation requirements .
The Board encourages the AT SA to consider the followin g practical examples of requirements : • A monitoring body shall set out reporting mechanisms. • A monitoring body shall inform the CSA, without undue delay, of any substantial change to the monitoring body (particularly relating to structure or organisation) which is likely to call into 12 adopted question its independence, expertise and the absence of any conflict of interests or to adversely affect its full operation . 2.2.7 REVIEW MECHANISMS
The Board is of the opinion that the monitoring body has a key role in contributing to the review of the code and shall apply code updates (amendment or extension of the code) as decided by the code owner .
The Board encourages accreditation requirements which require a monitoring body to develop mechanisms that enable feed back to the code owners. Some options would be to use the results of the audit process, the handling of complaints or actions take n in code infringement cases .
For instance, records of the processing of complaints (received and treated), infringements and remedies can be a good way to centralise relevant information in order to develop improvements to the code
The Board encourages th e AT SA to provide accreditation requirements which will ensure that the monitoring body will contribute to any review of the code, in accordance with the code owner’s instructions . 2.2.8 LEGAL STATUS
The Board observes that section 2.2 of the AT SA ’s ordinance provides that a monitoring body may be based outside of the EEA. The Board is of the opinion that a monitoring body requires an establishment in the EEA. This is to ensure that they can uphold data subject rights, deal with complaints and that GDPR is enf orceable and also ensures supervision by the CSA. The Board recommends that AT SA require that the monitoring body has an establishment in the EEA
Furthermore, the Board observes that the AT SA draft requirements do not provide for the accreditation of mon itoring bodies in relation to codes that are approved as a tool for international transfers, together with binding and enforceable commitments of the controller or processor in the third country to app ly the appropriate safeguards (a rticle 46 ( 2 )(e) GDPR). In this regard, it is worth noting that supplementary requirements may need to be added, once guidelines for codes as a means of facilitating international transfers have been adopted by the Board .
The Board observes that the AT SA ’s explanatory not e for section 2.1 clarifies that natural persons can be accredited as a monitoring body. The Board encourages the AT SA to provide additional requirements in order for such a monitoring body to be accredited . These would include: being able to demonstrate the availability of adequate resources for the specific duties and responsibilities, as well as the full operation of the monitoring mechanism over time. Examples of scenarios to consider incl ude: in the case of resignation or temporary inability of the pe rson concerne d . 13 adopted
The Board recommends that the AT SA require that the monitoring body should have access to adequate resource requirements to fulfil its monitoring responsibilities, especially for the accreditation of a natural person as a monitoring body .
Moreover, the code of conduct itself will need to demonstrate that the operation of the code ’s monitoring mechanism is sustainable over time, covering worst - case scenarios, such as the monitoring body being unable to perform the monitoring function. In t his regard , it would be advisable to require that a monitoring body demonstrates that it can deliver the code of conduct’s monitoring mechanism over a suitable period of time. Therefore, the Board recommends AT SA to explicitly require that monitoring bodies demonstrate continuity of the monitoring function over time .
The Board is of the opinion that a monitoring body does not need to have a specific legal form to apply for accreditation, provided that it can be held legally responsible for a ll its monitoring activities and demonstrate sufficient resources to deliver its monitoring functions (for example, effectiveness of administrative fines, etc .).
Finally, the Board notes that the AT SA ’s explanatory notes and ordinance do not reference sub - contracting, leaving this area open for monitoring bodies applying for accreditation to decide upon. The Board recommends that AT SA clarifies whether the monitoring body may have recourse to subcontrac tors and on which terms and conditions and that these are reflected in the explanatory notes or ordinance accordingly . If AT SA indicates that subcontracting is allowed, the Board recommends that the AT SA indicates, in its ordinance, that the obligations applicable to the monitoring body are applicable in the same way to subcontractors. 3 CONCLUSIONS / RECOMM ENDATIONS
The draft accreditation requirements of the Austrian Supervisory Authority may lead to an inconsistent application of the accreditation of m onitoring bodies and the following changes need to be made:
Regarding ‘ independence ’ the Board recommends that the AT SA: 1. clarify that the task of providing evidence as to the independence of a monitoring body to the satisfaction of a CSA falls upon th e body applying for accreditat ion ; 2 . redraft the explanatory note reference to “in relation to the subject matter of the code” , so that it is in line with the Guidelines ; 3 . amend the requirements to reflect the tw o models of monitoring bodies set out in the Guidelines; and 4 . strengthen its requirements in line with the four areas (legal and decision making, financial, organisational and accountability) in order to qualify what constitutes independence.
Regarding ‘conflict of interest ’ the Bo ard recommends that the AT SA: 14 adopted 1. add requirements covering procedures to avoid conflicts of interest.
Regarding ‘ established procedures and structures ’ the Board recommends that the AT SA: 1 . provide optional requirements regarding monitoring procedures in the AT explanatory notes a nd clarify mandatory requirements in the AT ordinance ; 2 . explicitly define the objectives of each required procedure in the accreditation requirements ; and 3 . clarif y the reference to “rel evant certificates” - that occurs more than once in the AT draft accreditation requirements .
Regarding ‘ transparent complaints handling ’ the Board recommends that the AT SA ’s : 1. complaints handling process requirements are set a high level and reference reasonable time frames for answering complaints.
Regarding ‘communication with the competent supervisory authority ’ the Board recommends that the AT SA: 1 . amend section 6.4 of the ordinance to provide for more regular communication with the CSA during the year; and 2 . address the reporting of any substantial change to the CSA in the accreditation requirements.
Regarding ‘legal status ’ the Board recommends that the AT SA: 1 . require that the monitoring body has an establishment in the EEA ; 2 . require that the monitoring body should have access to adequate resource requirements to fulfil its monitoring responsibilities and demonstrate that it can deliver the code’s monitoring mechanism over a suitable period of time , especially for the accredita tion of a natu ral person as a monitoring body; and 3 . clarify whether the monitoring body may have recourse to subcontractors and on which terms and conditions and that these are reflect ed in the explanatory notes or ordinance accordingly . If subcontractin g is allowed, amend the ordinance, so that the obligations applicable to the monitoring body are applicable in the same way to subcontractors. 15 adopted 4 FINAL REMARKS
This opinion is addressed to the Austrian supervisory authority and w ill be made public pursuant to a rticle 64 (5b) GDPR.
According to a rticle 64 (7) and (8) GDPR, the supervisory authority shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision . Wit hin the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow thi s opinion, in whole or in part. The supervisory authority shall communicate the final decision to the Board for inclusion in the register of decisions which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair ( Andrea Jelinek)