The European Commission’s Second Report on the application of the General Data Protection Regulation (GDPR) – hereinafter, the “Report” – was released in July 2024. This comprehensive review assesses the progress made over the past eight years since the GDPR came into force, and four years since the first periodic report. It identifies key areas where improvements are needed to ensure the GDPR’s continued effectiveness.
Earlier this year, in response to the European Commission’s Call for Evidence, SCOPE Europe provided feedback on the application of the GDPR, highlighting challenges and offering recommendations, particularly when it comes to the implementation of Articles 40 and 41. Now, with the publication of the Commission’s Report, it is clear that many of SCOPE Europe’s insights have been echoed, reaffirming the importance of addressing these key issues in order to optimize GDPR’s effectiveness moving forward.
General priorities
The Commission’s Report states that focus should be on the following:
a robust enforcement of the GDPR, starting with the swift adoption of the Commission’s proposal on procedural rules to deliver quick remedies and legal certainty in cases affecting individuals across the EU;
proactive support by data protection authorities to stakeholders in their compliance efforts, especially SMEs and small operators;
a consistent interpretation and application of the GDPR across the EU;
effective cooperation between regulators at both national and EU level to guarantee the consistent and coherent application of the growing body of EU digital rules;
further advancing the Commission’s international strategy on data protection.
(p.28)
The Report emphasizes the need for consistent interpretation and enforcement of the GDPR across the EU, particularly to address discrepancies between Member States. It calls for clearer and more actionable guidance from Data Protection Authorities (DPAs), with a specific focus on supporting Small and Medium Enterprises (SMEs) and researchers in navigating GDPR compliance. Additionally, the Report stresses the importance of fostering collaboration between DPAs to ensure uniform application of GDPR regulations.
SCOPE Europe identified several priorities in its feedback that were critical for improving GDPR implementation. These include the harmonization of legal interpretation and implementation across Member States, the need for increased transparency and public awareness, and enhancing legal certainty through a consistent application of the risk-based approach outlined in the GDPR. These priorities aimed to address the uneven enforcement of GDPR and to provide stakeholders, particularly SMEs, with a clearer understanding of compliance obligations.
Codes of Conduct—A Focused Discussion
From our unique experience as an accredited monitoring body for GDPR codes of conduct, SCOPE Europe recognizes the significant role that codes of conduct can play as co-regulation tools under the GDPR. As an organization dedicated to fostering data protection standards by developing and monitoring such tools, we see codes of conduct as practical mechanisms that can bridge the gap between regulatory requirements and operational realities. These tools offer structured, clear guidance to help industries implement GDPR requirements.
Commission recognises the potential of codes of conduct
The Commission’s Report highlights codes of conduct as valuable, cost-effective, yet underutilized tools for GDPR compliance, and encourages their further development and adoption. In light of the challenges and priorities outlined by the Commission, SCOPE Europe underscores the strong potential of codes of conduct (under Article 40 GDPR) in addressing key areas such as the harmonization of legal interpretation, enhanced enforcement consistency, and critical support for SMEs navigating GDPR obligations.
For these reasons, SCOPE Europe urges the Commission, data protection authorities, the EDPB, and Member States to actively support the development and implementation of codes of conduct.. These tools, designed to streamline and clarify complex GDPR provisions, have the potential to drive more consistent application of the regulation – including across Member States, if the given code bears a transnational scope –, reduce legal uncertainty, and foster smoother enforcement. Broad adoption of codes of conduct could lead to a more harmonized and efficient data protection landscape across the EU, building the necessary trust to enable the digital transition.
The Report does not explore the potential of codes of conduct for SME compliance
The Commission acknowledges the challenges faced by SMEs and calls for tailored guidance and tools from DPAs and the European Data Protection Board (EDPB) to help them meet GDPR requirements. The Report highlights the need for clear, easy-to-understand guidelines, avoiding complex legal language since smaller organisations do not typically have in-house data protection expertise. However, the Commission does not explore the role codes of conduct can play in simplifying compliance for SMEs.
Codes of conduct can offer actionable guidance by translating complex legal requirements into industry-specific best practices, making compliance more accessible for smaller businesses. Moreover, going through the assessment of an accredited monitoring body enables companies to ensure they are properly implementing and documenting adequate technical and organisational measures, which can largely support their day-to-day compliance efforts. SCOPE Europe therefore stresses the importance of supporting the development of codes of conduct to uphold GDPR compliance among SMEs.
Challenges in development and adoption of codes of conduct
Both the Commission’s Report and SCOPE Europe's feedback recognize the procedural difficulties in developing and adopting codes of conduct, especially around the approval and accreditation processes (Articles 40 and 41 GDPR). The Commission’s Report states:
There is a need for increased transparency in the process and for clear approval timelines. Data protection authorities and, in the case of EU-wide codes, the Board, should more actively encourage the drawing up of the codes of conduct by collaborating with the associations developing the codes. (p. 14)
The Board and data protection authorities are invited to: support the implementation of effective compliance measures by businesses, such as certification and codes of conduct (including as tools for transfers), by engaging with stakeholders during the approval process, providing clear timelines for approvals, and, as pledged in the Board’s 2024-2027 strategy, explaining to key groups of stakeholders how these tools can be used. (p. 26)
The Commission’s Report mirrors SCOPE Europe’s call for more procedural clarity, harmonization, and additional guidelines. These are essential to enable codes of conduct to function effectively and with the necessary flexibility and speed to meet GDPR’s demands.
Moreover, both the Commission and SCOPE Europe underscore the need for more active encouragement from data protection authorities in supporting the development and uptake of these tools. The Commission and SCOPE Europe both note that the low number of operational codes of conduct reflects the challenges that still exist in this regard, with only two transnational and six national GDPR codes of conduct to date. As the accredited monitoring body of one such transnational code of conduct, the EU Cloud Code of Conduct (EU Cloud CoC) as well as of one of the codes approved at the national level (the Data Pro Code), SCOPE Europe highlights these important examples of co-regulation in practice. Our involvement in the development and implementation of these tools can offer valuable insights into the operationalization of GDPR tools, providing an effective methodology that can be leveraged by other industries.
Involvement of stakeholders
By exploring the practical experiences gained from stakeholders involved in the creation of initiatives such as the EU Cloud CoC and the Data Pro Code, data protection authorities and policymakers can better support the growth of similar initiatives, guiding industries toward more streamlined and effective compliance mechanisms.
While the Report does urge for “earlier and more meaningful consultation on guidelines and opinions in order to better understand market dynamics and business practices” and “give adequate consideration to the feedback received” (p. 30) the Commission, the Supervisory Authorities, the EDPB, as well as the Member States should go further in actively involving stakeholders when it comes to GDPR application. . A more consistent and structured dialogue with industry experts, SMEs, monitoring and certification bodies, and other key players working in the field, can significantly improve regulatory effectiveness by ensuring that practical experiences and operational challenges are fully reflected in implementation efforts.
Key takeaways
The second GDPR Report from the European Commission echoes many of the insights and recommendations provided by SCOPE Europe in the context of the open call for feedback on this subject matter. We are pleased to see that the Commission has recognized the critical role that codes of conduct can play in supporting GDPR compliance, and we are eager to continue contributing to this evolving conversation.
As part of GDPR’s toolbox of compliance instruments, codes of conduct are uniquely positioned to enable organisations to manage and demonstrate their compliance. Through the widespread adoption of these tools, significant strides can be made toward improving legal certainty, enhancing the consistency of GDPR application, and achieving harmonization across Member States—key areas of focus outlined by the Report . By offering clear, industry-specific guidance on how to implement GDPR’s provisions, codes of conduct provide businesses with the structure and support they need to comply with the regulation effectively. This is especially relevant for SMEs, which may struggle to interpret and apply the complex legal requirements of GDPR without tailored assistance.
Codes of conduct, when appropriately developed and monitored, can also act as a bridge between data protection authorities and industry stakeholders, facilitating dialogue and mutual understanding. They help ensure that regulatory objectives are met in a way that aligns with the operational realities of the businesses subject to them. By fostering transparency, accountability, and trust, these tools directly contribute to the effective application of GDPR.
SCOPE Europe also urges the Commission, the Data Protection Authorities, the EDPB and Member States to regularly include stakeholders in ongoing GDPR efforts, engaging them through feedback loops and consultations. By maintaining this level of involvement, it is possible to ensure that the practical experiences of those on the front lines of GDPR compliance are properly reflected, increasing regulatory effectiveness and significantly contributing to the broad dissemination of a solid privacy culture.
As we continue our work to promote and monitor GDPR compliance through initiatives such as the EU Cloud CoC, SCOPE Europe remains committed to fostering robust data protection standards across the cloud industry and beyond. Our ongoing efforts aim to support businesses of all sizes in navigating the complexities of GDPR while ensuring the robust protection of data subjects' rights. We encourage all stakeholders to engage with both our feedback and the Commission’s Report to gain a deeper understanding of the current landscape of GDPR compliance and the ongoing developments shaping the future of data protection in the EU.
