Certifications and Codes of Conduct
Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.
Swedish Datainspektionen has published brief online guidance on Certification. The guidance includes the following information: The actual issue of certification must be done by an accredited certification body. Who will issue accreditation is not yet decided but it will be either the Data Inspection or the National Accreditation Body Swedac. The criteria for which accreditation must be based shall be obtained from the National Supervisory Authority, ie by the Data Inspectorate. The Data Inspectorate shall also approve the criteria underlying certification. How certification will be available is not yet clear. The European Data Protection Board (EDPB) is working on developing an EU Common Guide on Certification. There is currently no exact time for when the guidance will be completed.
Sweden Certification Resources
Codes of Conduct
The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are strong accountability and compliance indicator toward the regulator, public, and business partners.
Swedish Datainspektionen has published online guidance on Codes of Conduct. It highlights that the European Data Protection Board (EDPB) is drafting a Guidance on Codes of Conduct, however, the Datainspektionen also notes that Codes of Conduct can be submitted already.
The Datainspektionen may already point to certain criteria that a code of conduct must meet to be considered to contain sufficient guarantees:
- A code of conduct must focus on a well-defined category of personal data controllers or processors. It must therefore clearly state the types of organizations or sectors to which the code applies.
- A code of conduct should aim at specific and well-defined processing activities typical of the above categories of personal data controllers and processors.
- A code of conduct must be carefully prepared. This includes consulting relevant stakeholders, including as far as possible the registered or their representatives.
Sweden Codes of Conduct Resources
Certifications and Codes of Conduct
Certification schemes and Codes of conduct are established under the GDPR as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.