In the absence of an adequacy decision, data exporters (controllers and processors) may rely on approved codes of conducts[1] as appropriate safeguards for transfers of personal data to third countries.
Codes of conduct are typically drafted by entities, associations or federations that represent large categories of controllers and processors, such as industry-specific associations or trade unions.
Codes of conduct must be approved by the competent supervisory authority and comply with the specific requirements in articles 40 and article 46 (2) e) of the GDPR and the EDPB Guidelines 04/2021[2] on Codes of Conduct as tools for transfers in order to constitute appropriate safeguards within the framework of transfers of personal data to third countries or international organisations.
Once approved by the competent supervisory authority, a Code of conduct may be adhered to by data exporters (controllers or processors). In addition, those exporters must thus provide binding and enforceable commitments to confirm that said Code of conduct ensures appropriate safeguards for transfers of data outside of the EEA.[3]
Further information can be found in the EDPB Guidelines 01/2019 on Codes of Conduct and monitoring Bodies as well as in the EDPB Guidelines 04/2021 on Codes of Conduct as tools for transfers.
[1] Article 46, paragraph 2, letter e) of the GDPR.
[2] EDPB Guidelines 1/2019 of 4 June 2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679.
[3] Articles 40, paragraphs 3 and 9, and 46, paragraph 2, letter e) of the GDPR.