Codes of Conduct and its monitoring- Part 2

In our last article we briefly discussed article 40 which provides the whole idea of a code of conduct mandatory to draw for the proper application of GDPR. In today’s article we will discuss the monitoring which is discussed under article 41 of the GDPR. Article 41 clearly states that the monitoring of compliance may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority. 

A body is referred to under art. 41 (1) may be accredited to monitor compliance with a code conduct where that body has the followings-

  1. Demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
  2. Established procedure which allows it to assess the eligibility of controllers and processors concerned to apply to the code, to monitor their compliance with its provisions and to periodically review its operations;
  3. Established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and  
  4. Demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

Further, the competent supervisory authority shall submit the draft requirements for accreditation of a body to the board pursuant to the consistency mechanism referred to in art. 63. A body referred herein must, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor concerned from the code. It must inform the competent supervisory authority of such actions and the reasons for taking them.

The competent supervisory authority must revoke the accreditation of a body as referred if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this regulation. It is must to remember that the provisions of this article are not applicable when the processing is carried out by public authorities and bodies.      

Picture Credit- https://www.delta-net.com