What is a code of conduct and what are its benefits?
A code of conduct is a sector-specific compliance tool that contributes to the correct application of the GDPR, taking into account the operational needs of the sector concerned.
It can be a useful and effective governance tool by providing a detailed description of the most appropriate, legal and ethical set of behaviours in a given sector. The sector that creates and applies the requirements of a code of conduct demonstrates its willingness to comply with the GDPR and sends a positive signal to customers and professionals in the sector.
Professional associations and chambers or any other body representing a given professional sector can draw up a code to help businesses in that represented sector to comply with the GDPR effectively.
Drawing up a code of conduct is a voluntary process for any representative of a specific professional sector.
Adherence to a code of conduct by members of the sector is also voluntary. However, a code of conduct is a legally binding instrument and is binding for the members that adhere to it. Members will be subject to regular checks by a monitoring body dedicated to this code of conduct and approved to verify compliance with the code's requirements.
The code of conduct may be accompanied by model contracts, standard clauses, IT safety rules adapted to the needs of the sector and/or best practices for the information leaflet in particular.
A code must be clear, understandable and practical, with a vocabulary suited to the sector to which it is dedicated. The rules of the code of conduct must be presented in a way that makes it easy for the monitoring body to check that it is being applied. In addition, the code must also contain information designed to facilitate the implementation and monitoring of the code's requirements by its members (e.g. by providing model documents, an implementation guide, a monitoring methodology, etc.).
Who can draw up a code of conduct?
The code of conduct must be drawn up by an association of professionals or by a body representing a given professional sector, which demonstrates in-depth knowledge of the operational functioning of the sector. This organisation will be referred to as the "code owner".
What is a national code and what a transnational code?
A "Luxembourg national code" refers to a code relating to processing activities carried out in Luxembourg.
A "transnational code" refers to a code covering processing activities carried out in several member countries of the European Economic Area.
What has to be included in a code of conduct?
The guidelines adopted by the European Data Protection Committee (EDPS) contain explanations and requirements with which a code of conduct must comply. It must contain
- A clear description of the objectives of the code of conduct and how the code will facilitate the effective application of the GDPR for the sector concerned;
- Practical operational solutions and best practices that members who adhere to the code can put in place in order to meet the requirements of the code of conduct;
- Mechanisms for monitoring the application of the code by its members, which the monitoring body will use during its inspections;
- Sufficient safeguards: code owners must demonstrate that their code contains appropriate and effective safeguards to mitigate risks to data processing and the rights and freedoms of individuals;
- The scope of the processing operation, which clearly and precisely determines the personal data processing operations to which it applies, as well as the categories of data controllers and processors who will have to comply with it. This includes the processing problems that the code seeks to resolve and the practical solutions to be provided.
- Territorial scope: the draft code must specify whether it is national or transnational in scope and mention the state or states in which it will apply. If the code is transnational, the list of competent authorities must be provided;
- Competent authority: the owner of the code of conduct must explain the choice of competent authority;
- Governance: the draft code must specify the process for adherence to the code by members of the sector, the relationship with the designated monitoring body and the selection criteria, the process for updating the code of conduct if necessary (changes in the legislation governing the sector, changes in the sector, etc.);
- Consultation with interested professionals in the sector: the code of conduct should take account of the needs of the sector, in particular by holding meetings to discuss issues with representatives;
- National law: Code owners must provide confirmation that the draft code complies with applicable national law;
- Designation of a monitoring body;
- The language of the code of conduct submitted for adoption to the CNPD may be French, German or English.
What is the process for the adoption of a code of conduct by the CNPD?
The code owner must submit his draft code to the CNPD. The draft code can be submitted by the owner, sent electronically to the following e-mail address cdc@cnpd.lu or by post to the following address:
CNPD – Service Conformité
15 Boulevard du Jazz
L-4370 Belvaux
The CNPD, in its capacity as supervisory authority, carries out an informal review of the draft code of conduct and there may be several exchanges with the owner of the code in order to check whether the content of the draft meets the requirements of the GDPR. The owner of the code of conduct will have the opportunity to make changes and submit a new version to the CNPD.
In this respect, the CNPD will issue an opinion on whether the draft code, amendment or extension complies with the GDPR and will approve the draft, amendment or extension if it considers that it offers sufficient appropriate guarantees (Article 40(5) of the GDPR).
In the case of a transnational code, it must be communicated by the CNPD to the other competent supervisory authorities of the other member countries concerned and the owner of the code will also have to take account of their comments/requests. A transnational code will also be subject to an opinion of the EDPS in accordance with the application of the "consistency mechanism" provided for by the GDPR (Article 63 of the GDPR).
The EDPS will then submit his opinion to the European Commission, which will decide on the general application of the code of conduct within the European Economic Area in accordance with the provisions of the GDPR (Articles 40(8) and 40(9) of the GDPR).
What is the role of the monitoring body?
Designated by the code of conduct, the monitoring body will carry out checks to ensure that members adhering to the code of conduct comply with its requirements. The monitoring body must obtain approval from the CNPD.
In order to obtain approval from the CNPD, the monitoring body must comply with the requirements of the "Procedure for the approval of code of conduct monitoring bodies". These requirements are based on the accreditation criteria adopted by the CNPD on 19 December 2022, which are available on the CNPD website.
The monitoring body wishing to receive accreditation from the CNPD must complete the application form below (adapt to suit the space on the page) and send it to the CNPD in accordance with the accreditation procedure described below (adapt to suit the space on the page).