Page Contents

Answer

The principle of accountability is a cornerstone of the General Data Protection Regulation (GDPR). According to the GDPR, a business/organisation is  responsible for complying with all data protection principles and is also  responsible for demonstrating compliance. The GDPR provides businesses/organisations with a set of tools to help demonstrate accountability, some of which have to be mandatorily put in place.

For example, in specific cases the establishment of a DPO or conducting data protection impact assessments (DPIA) may be mandatory. Data controllers can choose to use other tools such as codes of conduct and certification mechanisms to demonstrate compliance with data protection principles.

You may adhere to a Code of Conduct prepared by a business association which has been approved by a DPA. A Code of Conduct may be given EU-wide validity through an implementing act of the Commission.

You may adhere to a certification mechanism operated by one of the certification bodies that have received accreditation from a DPA or a national accreditation body or both, as decided in each Member State law.

Both codes of conduct and certification are optional instruments and therefore it is up to your company/organisation to decide whether to adhere to a given code of conduct or to request certification. While your company/organisation still has to respect and comply with the GDPR, adherence to such instruments might be taken into consideration in the case of an enforcement measure against you for a breach of the GDPR.

Example

The umbrella insurance body in the EU Member State of your company/organisation has had a Code of Conduct approved by the supervisory authority. A number of rival insurance firms have adhered to the Code. While adhering is voluntary, the adherence to the Code helps in demonstrating compliance with the GDPR.

References

  • Article 24, Articles 40, to 43 and Article 83 and Recitals (98), to (100), (148), (150) and (151) of the GDPR