Certifications and Codes of Conduct


    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR and Bulgarian domestic law as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019

  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.

    No specific certification guidance or reference has been provided by the Bulgarian Data Protection Authority (CPDP) yet.

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are a strong accountability and compliance indicator towards the ICO, public, and business partners.

    On July 31, 2018, the Bulgarian CPDP released Criteria and procedures for approving, amending or supplementing a Code of Conduct. The Criteria themselves are quite brief (18 short clauses). Their purpose is to specify certain parameters of the GDPR in order to promote a uniform understanding and application of its requirements in the drafting of codes of conduct. Outlined is also the approval and amendment procedure for the Criteria by the regulator.

    The CPDP has since then also released brief Guidelines on Drafting and Proposing Codes of Conduct – highlighting what steps should and shouldn’t be taken in relation to drafting Codes of Conduct. For example, copying sections of the GDPR as sections of the Code is inadmissible – the aim is to produce application of the GDPR requirements in a particular sector or industry. It is also unacceptable to use only declarative statements without the presence of appropriate safeguards for the rights and freedoms of the data subjects.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.