SCOPE Europe welcomes the outlined concepts and aspects of the Guidelines of the European Data Protection Board 1/2019 and the covered sections. The purpose and scope are articulated clearly, also the given guidance can foster the implementation of Art. 40/41 in the market. The level of concretization and on the same time the provided flexibility within the Guidelines perfectly harmonize to accelerate the acceptance and implementation of codes of conduct in the market. Furthermore, we suggested to provide further clarification on terminological uncertainties and on one of our key topics, the accreditation procedure of a monitoring body.
In general, SCOPE Europe and SRIW very welcome the outlined concepts and aspects of the Guidelines and the covered sections. Their purpose and scope are articulated clearly and the given guidance fosters the implementation of Art. 40 and 41 GDPR in the market. The Guidelines concretize major requirements of GDPR for codes of conduct. This concretization will increase the acceptance by society and industry of codes of conduct as a main instrument to further implement GDPR. The guidance provided helps tremendously to understand the requirements to successfully submit a draft code. Furthermore, the authors want to emphasize the positive impression of flexible and innovation friendly approaches foreseen by these Guidelines.
The authors very much appreciate the high standards the Guidelines impose on the quality of a monitoring, referring to categories as impartiality or concrete mechanisms to monitor compliance. Only by defining a trusted and common baseline of what must be accomplished by the monitoring of a code of conduct, they will become a valuable, effective and valued tool under GDPR.
The authors especially appreciate that:
- the Guidelines refer to the Specification of GDPR as a main criteria in paragraph 37 of these Guidelines for a valuable code of conduct. The criteria of a code of conduct – “unambiguous, concrete, attainable and enforceable” – perfectly reflect the core and very essence of what codes of conduct are about.
- referring to the above-metioned flexibility, the Guidelines pick up on the risk-based approach of GDPR, and acknowledge once more that active and effective monitoring of compliance can and must be variable, to meet the challenges of a safe data processing (e.g.: paragraph 72 of the Guidelines).
- the undertaken distinction between external and internal monitoring body provides a practicable flexibility of structuring and arrangement, but at the same time imposes the same level of impartiality on both concepts as a strict requirement to fulfil for an accreditation (see Chapter 4.5.5 of this Consultation).
Clarification is welcomed:
- on certain terminologies, to safeguard a consistent understanding of key terms (see Chapter 4.1 of this Consultation).
- concerning the scope of these Guidelines as a minimum criteria and its relation to GDPR (see Chapter 4.2 of this Consultation).
- regarding the monitoring body draft requirements, as a guidance for national authorities (see Chapter 4.5 of this Consultation).
- at some points, where different possible interpretations of legal requirements could be taken into consideration, to avoid legal uncertainty in the market (e.g. see Chapters 4.1.3 and 4.4 of this Consultation).