Certifications and Codes of Conduct


    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR and Belgian domestic law as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019

  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority. Furthermore, the new Belgian GDPR Adaptation Law Art. 18, Section 1 details that certification authorities are accredited in accordance with ISO 17065 and the additional requirements established by the supervisory authority by the national accreditation body appointed in accordance with Regulation 765/2008 including requirements for accreditation.

    No official guidance or reference has been provided by the Belgian regulator (‘APD’) yet. It is likely that the APD will provide more detailed information once the European Data Protection Board issues the final version of the Guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679.

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are a strong accountability and compliance indicator towards the regulator, public, and business partners.

    From May 25th, draft codes of conduct may be submitted by representative associations of categories of controllers and/or subcontractors for approval to the Belgian Privacy Commission (‘APD’). If the code of conduct concerns processing activities carried out in more than one Member State, the final approval may be granted by the European Commission after consulting the European Data Protection Board (‘EDPB’), which will verify whether they present appropriate safeguards to ensure compliance of the new regulation.

    The Belgian APD has indicated the following general principles as fundamental and these must guide the drafting of any code of conduct:

    • Comply with the GDPR and Belgian domestic law. The codes of conduct cannot ever contain provisions that are contrary to the existing law.  -comply with the new Regulation and its transpositions into national law, if applicable. Codes of conduct cannot, in any case, contain provisions that are an exception to the new regulation;
    • Specify and clarify the application of the GDPR obligations in the submitting entity’s relevant sector/association;
    • Add value to the GDPR provisions by addressing the specific issues and questions faced by organizations to which the code provides clear and operational answers;
    • Have an explanatory memorandum explaining the problem faced by the sector concerned requiring the establishment of a code of conduct and the added value of each provision in relation to the sector concerned by the code;
    • Have a clearly defined subject. The draft code must determine with precision and clarity the processing (or processing characteristics) of personal data covered as well as the categories of controllers and/or processors concerned;
    • Ensure appropriate mandatory audits and compliance control with respect to those controllers and processors who undertake to comply with the draft code.

    The codes of conduct applicable to the processing of personal data are, for the moment, poorly developed. As a result, experience at this level in terms of process is limited. The GDPR provides that associations and other bodies that intend to develop a code of conduct or amend or extend an existing code of conduct must submit the draft code, amendments or extension to the appropriate supervisory authority. That supervisory authority will then have to give an opinion as to whether the draft code, amendment or extension complies with this Regulation. If it considers that it offers sufficient appropriate safeguards, that supervisory authority will approve the draft code, amendment or extension. The outline of the process is therefore already present in the GDPR. The Belgian Privacy Commission is still in the process of internal analysis regarding the creation of a more detailed process. The Privacy Commission also believes that a harmonized approach in terms of the process could have added value.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.