Besonders begrüßt wurde die Ausrichtung der Richtlinie, die an vielen Stellen die Voraussetzungen der DSGVO konkretisierte, ohne dabei die notwendige Flexibilität einzubüßen, die es braucht, um eine auf eine breite Akzeptanz und Umsetzung seitens der Wirtschaft zu stoßen. Ferner wurde angeregt, gewisse Aspekte der Richtlinie näher zu erläutern, insbesondere bezogen auf neu eingeführte Begrifflichkeiten und die private Überwachungsstelle und ihr Akkreditierungsverfahren. Die vollständige Stellungnahme finden Sie hier.
Wesentliche Inhalte der Stellungnahme sind (auf English):
In general, SCOPE Europe and SRIW very welcome the outlined concepts and aspects of the Guidelines and the covered sections. Their purpose and scope are articulated clearly and the given guidance fosters the implementation of Art. 40 and 41 GDPR in the market. The Guidelines concretize major requirements of GDPR for codes of conduct. This concretization will increase the acceptance by society and industry of codes of conduct as a main instrument to further implement GDPR. The guidance provided helps tremendously to understand the requirements to successfully submit a draft code. Furthermore, the authors want to emphasize the positive im-pression of flexible and innovation friendly approaches foreseen by these Guidelines.
The authors very much appreciate the high standards the Guidelines impose on the quality of a monitoring, referring to categories as impartiality or concrete mechanisms to monitor compliance. Only by defining a trusted and common baseline of what must be accomplished by the monitoring of a code of conduct, they will become a valuable, effective and valued tool under GDPR.
The authors especially appreciate that:
- the Guidelines refer to the Specification of GDPR as a main criteria in paragraph 37 of these Guidelines for a valuable code of conduct. The criteria of a code of conduct – “unambiguous, concrete, attainable and enforceable” – perfectly reflect the core and very essence of what codes of conduct are about.
- referring to the above-metioned flexibility, the Guidelines pick up on the risk-based approach of GDPR, and acknowledge once more that active and effective monitoring of compliance can and must be variable, to meet the challenges of a safe data processing (e.g.: paragraph 72 of the Guidelines).
- the undertaken distinction between external and internal monitoring body provides a practicable flexibility of structuring and arrangement, but at the same time imposes the same level of impartiality on both concepts as a strict requirement to fulfil for an accreditation (see Chapter 4.5.5 of this Consultation).
Clarification is welcomed:
- on certain terminologies, to safeguard a consistent understanding of key terms (see Chapter 4.1 of this Consultation).
- concerning the scope of these Guidelines as a minimum criteria and its relation to GDPR (see Chapter 4.2 of this Consultation).
- regarding the monitoring body draft requirements, as a guidance for national authorities (see Chapter 4.5 of this Consultation).
- at some points, where different possible interpretations of legal requirements could be taken into consideration, to avoid legal uncertainty in the market (e.g. see Chapters 4.1.3 and 4.4 of this Consultation).
