General information
Organisations representing controllers or processors may prepare codes of conduct for the purposes of specifying the application of the GDPR in their sector, such as with regard to:
- fair and transparent processing;
- the legitimate interests pursued by controllers;
- the collection of personal data;
- the pseudonymisation of personal data (the processing of personal data in such a manner that these data can no longer be attributed to a specific person);
- the information provided to the public and to data subjects;
- the exercise of the rights of data subjects;
- the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
- the technical and organisational measures ensuring compliance with the GDPR as well as the principles of privacy by design and privacy by default;
- the measure ensuring appropriate level of security;
- the notification of personal data breaches and the communication of such personal data breaches to data subjects;
- the transfer of personal data to third countries or international organisations;
- out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects.
The code of conduct must contain the mechanisms for mandatory monitoring of compliance with its provisions by the entities which have committed to apply this code of conduct. For this purpose the monitoring body needs to be established.
The draft is subject to consultations with interested parties, including consultations of the drafted solutions with member organisations, but also with stakeholders, e.g. customers, contractors or even specific industry regulator.
2019-07-31
