Certifications and Codes of Conduct


    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019

  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.

    No particular guidance or reference to GDPR certification has thus far been published by the Latvian Data State Inspectorate (DVI).

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are strong accountability and compliance indicator towards the regulator, public, and business partners.

    In the article on Codes of Conduct published in 12/2017, the Data State Inspectorate informs that the GDPR does not specify a specific form or framework for developing a code of conduct. At the same time, it should be understood that a code of conduct must have a clear procedure so that the process for which a code of conduct is drawn up is in accordance with the requirements of the GDPR.

    The development of the Code of Conduct is ensured by the controller or the controller association, after approval by the supervisory authority, in Latvia, the Data State Inspection (DVI). If the process to which the code of conduct applies also affects the processing of data in another Member State, then such a code of conduct will be approved by the European Data Protection Board. In the opinion of the Data State Inspectorate in order to ensure compliance of the code of conduct with the requirements of the GDPR, it should provide an insight into at least the following aspects:

    • Information about the controller or controllers, the scope of which is covered by the code of conduct.
    • Information on the exact scope of the Code of Conduct (which precise processing activities in the specific code of conduct are to be regulated).

    Related Resources

    Latvia Codes of Conduct Resources

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.