Certifications and Codes of Conduct

    Czech Republic

    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR and are also reflected in the Czech Privacy Bill as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019


  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.

    The Czech GDPR adaptation law (not yet effective) anticipates that the GDPR certification body accreditation will be performed by the Czech Institute for Accreditation (“Český institut pro akreditaci, o.p.s.”). The Czech UOOU is currently working on (i) the certification criteria and (ii) criteria for accreditation of the certification bodies. Once drafted, these two sets of criteria will be open to public comments on the UOOU website.

    Next Steps

    The UOOU is awaiting the final version of the EDPB Guidelines on Certification criteria, afterwards, it will submit for public comment its draft of certification criteria and draft criteria for accreditation of the certification bodies. Once finalized, these two sets of criteria will be provided to the Czech Institute for Accreditation (“Český institut pro akreditaci, o.p.s.).

    At this moment, it is therefore not possible to apply for accreditation or certification of any specific product, service or data processing operation. Once the certification mechanism becomes effective, the UOOU will post information about the certification mechanism availability on its website.

     

    Related Resources

    Czechia Certification Resources

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are a strong accountability and compliance indicator towards the UOOU, public, and business partners.

    The Czech UOOU has already published (on 02/08/2018) the first version of Metodic guidance on Codes of Conduct (9 pages). It sets out a recommended structure for codes of conduct. It also recommends notification to UOOU of ongoing Code of Conduct preparations to speed up the process of supervisory review. Furthermore, it outlines big public interest in Codes of Conduct but it also states that the UOOU aims to align the approach towards Codes of Conduct with EDPB and for this reason, it still awaits EDPB guidance and does not issue any Codes of Conduct accreditation yet.

    Drafting Process

    The UOOU recommends for the drafting associations/entities to notify the UOOU when they start preparing the Code of Conduct. Basic information about the drafting association/entity and the Code subject should be a part of such notification. This initial notification serves to help the UOOU conduct necessary steps towards the Code’s review and future approval.

    The UOOU also envisions for the process to continue by the drafting entity’s consultations with the UOOU – around the Code’s form, content, and requirements. These consultations should be initiated by the drafting entity. After the consultation stage, the drafting entity can submit the final draft Code of Conduct to the UOOU for the final review and approval. If approved, the Code of Conduct will be registered and made public.

    Parameters

    The Code of Conduct must be drafted so as to cover the GDPR’s requirements for the specific personal data processing it relates to. The UOOU recommends structuring the Code’s text into sections corresponding with the GDPR’s articles (on the data controller’s or data processor’s tasks when processing personal data). Within these sections, the Code should define processes and requirements for personal data processing – including the positive ones (what must be done) as well as the negative ones (what the controller or processor mustn’t do). The UOOU Metodic guidance on Codes of Conduct also contains an example of the Code’s structure – containing 20 sections/elements of the document.

    Certification Bodies & Monitoring

    The Code of Conduct must be drafted so as to cover the GDPR’s requirements for the specific personal data processing it relates to. The UOOU recommends structuring the Code’s text into sections corresponding with the GDPR’s articles (on the data controller’s or data processor’s tasks when processing personal data). Within these sections, the Code should define processes and requirements for personal data processing – including the positive ones (what must be done) as well as the negative ones (what the controller or processor mustn’t do). The UOOU Metodic guidance on Codes of Conduct also contains an example of the Code’s structure – containing 20 sections/elements of the document.

    Related Resources

    Czechia Codes of Conduct Resources

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.