The Data Pro Code (the “Code”) provides clear requirements in regards of transparency and contractual clauses. In regards of transparency, the Code requires Monitored Companies to clearly indicate in the Data Pro Statement if the Statement is limited to distinct products and services, and if there are any deviations. Likewise, the Code requires that the Data Pro Statement must be accompanied with adequate contractual clauses. Subsequently, rather as a due preparation of these two documents, the Monitored Company shall apply defined Principles and implement and maintain internal measures to effectively act compliant.
Expectation of the Monitoring Body
As the implemented measures may materially differ between different Monitored Companies and Monitored Services, there is no specific blueprint how to do so.
Most relevant information is made publicly available by the Data Pro Statement. Consequently, the required information focusses on retrieving a current copy of the two main pillars, i.e., the Data Pro Statement and the contractual clauses.
Nonetheless, Monitored Company may be subject to a randomized in-depth assessment, which will focus – as needed – on the completeness, accuracy and consistency of the Data Pro Statement and contractual clauses, as well as an assessment regarding the existence of required internal measures, including an assessment if such measures reflect the statements in the Data Pro Statement and Principles laid down in the Code.
Whenever this DoA template requires to indicate implemented measures, especially policies or procedures, please provide a short description of the procedure being in place. If such description is covered by the Data Pro Statement already, a reference to the relevant section suffices. Where documentation is required, please indicate where and how the procedure is documented. It will not suffice to only refer to any documentation without describing the principles and steps of the procedure. Nor will it suffice – where documentation is required – to only describe the procedure without referencing the documentation (e.g. file name, file version, storage). Please also keep in mind, that a documented procedure or policy is expected to indicate its version, department / personnel responsible for maintaining / signing-off the procedure / policy, and in which cases the procedure / policy is applicable.
Consequences if expectations are not met
For the avoidance of doubt: if your responses are not convincing, as they may either lack material level of detail, the reference may be imprecise or lack references to other provisions that may be applicable as well, or you provide details regarding your procedures but the reference to your documents is missing, the Monitoring Body will consider your response as incomplete / inconsistent. Especially if you are passing an initial assessment, this will, in best case, only delay the declaration of adherence process; in worst case scenarios, especially if the Monitoring Body provided you with chances to enhance your provided response by requesting follow-up responses, the Monitoring Body will consider your repeated insufficient responses as not being capable to convince the Monitoring Body of your compliance anymore; hence it will stop the declaration of adherence and consider your declared services as non-compliant with the Code – at least for the time being. This will not hinder you to start a new declaration of adherence process as soon as you have better prepared yourself and thus being able to convincingly respond to the Monitoring Bodies requests.