GDPR Brief: Codes of Conduct under the GDPR: A Useful but Challenging Tool to Enable Responsible International Data Sharing

5 August 2019

data sharing, GDPR

Under the GDPR, organizations within a given sector or representative body can develop Codes of Conduct to help overcome key data protection challenges. Developing an approved Code is a serious endeavour and difficult to achieve, but can be of great benefit, including by better enabling responsible international data sharing in genomics and health-related research. Such Codes complement rather than supersede the GDPR.

In June 2019, the European Data Protection Board (“EDPB”) released its Guidelines on Codes of Conduct and Monitoring Bodies under the GDPR. These 30-page Guidelines offer pertinent information regarding, among other things, the conditions to be met before a competent Data Protection Supervisory Authority (“DPA”) in the EU would be in a position to assess and review a Code for the purposes of the GDPR, and the criteria organizations will need to meet to have their Code approved.

As the Guidance notes, under the GDPR, organizations are encouraged to draft Codes of Conduct, which are voluntary accountability tools that can represent a practical, potentially cost-effective, and meaningful method to achieve greater levels of consistency of protection for data protection rights. Codes can act as a mechanism to demonstrate compliance with the GDPR. Importantly, transnational Codes can help to bridge the harmonization gaps that may exist between EU Member States in their application of data protection law. They also provide an opportunity for particular sectors, such as the life sciences sector, to reflect upon common data processing activities and to agree to tailored and practical data protection rules, which will meet the needs of the sector as well as the requirements of the GDPR.

As provided by the non-exhaustive list contained in Article 40(2) of the GDPR, Codes may notably cover topics such as:

  • fair and transparent processing;
  • legitimate interests pursued by controllers in specific contexts;
  • the collection of personal data;
  • the pseudonymisation of personal data;
  • the information provided to individuals and the exercise of individuals’ rights;
  • technical and organisational measures, including data protection by design and by default and security measures;
  • breach notification;
  • data transfers outside the EU; and/or
  • dispute resolution procedures.

Notably, one of the example boxes in the EDPB’s Guidelines describes the benefit of a Code “in the context of processing health data for research purposes”. Appendix 3 provides a checklist for organizations to use before submitting a draft Code for approval to a competent DPA.

As the Guidelines note, “Codes may also prove to be a significant and useful mechanism in the area of international transfers.” A Code can demonstrate that a sector has appropriate safeguards to transfer data to countries outside the EU and thus enable organizations to share data internationally. Under Article 46, an organization can transfer personal data to a non-EU country without requiring any specific authorization from a DPA where there is an approved Code of Conduct pursuant to Article 40, together with binding and enforceable commitments of the controller or processor in the non-EU country to apply the appropriate safeguards, including as regards data subjects’ rights. The EDPB notes in the Guidelines that it will provide separate guidelines in the future in relation to the use of Codes as a mechanism to facilitate international data transfers.

While BBMRI-ERIC is currently drafting a Code of Conduct for Health Research for its members, other organizations or representative bodies in genomics and health-related research, including industry, may wish to draw up Codes tailored to their particular sectoral needs. Given the challenges associated with developing Codes of Conduct (including the need for Codes to contain mechanisms that enable an accredited monitoring body to carry out mandatory monitoring and compliance), organizations are encouraged to seek legal advice when considering whether to draft one. This is particularly so given that the EDPB’s Guidelines emphasize a Code’s potential to “establish a set of rules”, rather than simply assisting compliance with the existing rules of the GDPR.

Further Reading

  • European Data Protection Board, “Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679.” Available here.
  • Information Commissioner’s Office (UK), “Codes of Conduct”. Available here.

Relevant GDPR Provisions

  • Recital 98 – Preparation of codes of conduct by organizations and associations
  • Recital 99 – Consultation of stakeholders and data subjects in the development of codes of conduct
  • Article 40 – Codes of conduct
  • Article 41 – Monitoring of approved codes of conduct
  • Article 46 – Transfers subject to appropriate safeguards

Edward Dove is a Lecturer in Law at the University of Edinburgh.

For a list of previous briefs, please consult here.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.