Codes of Conduct under GDPR

There are many ways to demonstrate compliance under GDPR and one of the most underestimated ones is through the Code of Conduct. This article aims to introduce you the concept of the Codes of Conduct and their implementation in the business field.

Approved GDPR Codes of Conduct – a Tool for Compliance

In essence, the codes of conduct are “encouraged” by the GDPR as ways not only to demonstrate compliance with the GDPR requirements but also as a sign to any stakeholder that your organisation is aware of what needs to be done in order for a legitimate processing of personal data to take place. Codes of conduct are a practical and useful tool, however, there are instances where they can be even more useful.

Article 40 encourages the creation of codes of conduct in order to contribute to the proper application of the GDPR. One of the special elements of the GDPR’s codes of conduct is that they need to be tailored, taking into account the typical processing activities and features across various sectors and the needs of organisations with less than 250 employees. Thus the processing of personal data will need to be looked into in more details and special circumstances will need to be taken into consideration. There’s a big difference if you are a marketing specialist or a general practitioner, even though both handle personal data.

The Contents of an Approved Code of Conduct under GDPR

Another specific element of the implementation of the code of conduct is the moment of its approval. This is in line with GDPR that states that a draft form needs to be approved by the supervisory authority. In order for the code of conduct to be approved, it needs to have sufficient appropriate safeguards in place. The full content in an approved code of conduct is advised in Article 40 of the GDPR.

GDPR codes of conduct should contain specifications regarding the application of the GDPR, among others, concerning:

Benefits of Implementing a Code of Conduct under GDPR

One of the best ways that a company may demonstrate its compliance with the GDPR is under a code of conduct. Adherence to an approved code of conduct may be used as an element by which the organisation may demonstrate compliance with the appropriate technical and organizational measured by controllers and processors to ensure a level of security appropriate to the level of the risk.

Another benefit is to the adherence of a processor to an approved code of conduct may be used as an element by which to demonstrate sufficient guarantees.

The last obvious benefit of an approved code of conduct is the cross-border transfer safeguards – appropriate safeguards may be provided for an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards as regards to data subjects’ rights.

Risks of Adhering to a Code of Conduct under the GDPR

Article 41 of the GDPR explains that with the adherence of to the code of conduct come new obligations for the companies or entities. An accredited body that monitors compliance with an approved code of conduct is required to further establish procedures and structures to handle complaints regarding infringements of the code itself or the way it has been implemented. And infringements can mean suspension or exclusion.

Finally, the degree in which a controller or processor adheres to “its” code of conduct does play a role when gauging potential administrative fines as prescribed in Article 83 (general conditions for imposing administrative fines)  where it is stated that among the decisions on imposing an administrative fine and amounts regarding one, is ‘adherence to approved codes of conduct pursuant to Article 40’ and where are also mentioned the infringements regarding the obligations of the monitoring body pursuant to Article 41 can go up to the ‘lower’ of the two maximum fine levels of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.


Adhering to an approved GDPR code of conduct provides many benefits to the entities and in some circumstances, it might even become a necessity for processors who want to initiate a work process with controllers that are obliged to have an active and approved code of conduct in place.

However, while adhering to a code of conduct makes the entity reliable and trustworthy, helps to demonstrate GDPR compliance and makes cross-border situations easier, the organisation will be closely monitored that the prescribed practices are in place.


Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.

Leave a Reply

Your email address will not be published.