Monitoring under GDPR
Under the General Data Protection Regulation (GDPR), one can demonstrate compliance by adherence to approved Codes of Conduct. Pre-requisite is a trusted compliance, which results into a key aspect of Codes of Conduct under GDPR: the monitoring of Code adherence by an accredited Monitoring Body.
For accreditation, Monitoring Bodies must meet defined requirements, as under Art. 41 GDPR and the corresponding guidelines by the European Data Protection Board (EDPB): key elements are the independence of a Monitoring Body, its appropriate level of expertise and established procedures for assessing compliance and handling complaints (for more details on the mentioned safeguards, you can also consult our response to the EDPB guidelines here).
Requirements under GDPR
Principally, requirements for a trusted monitoring under GDPR can be split into three main aspects, of which some are explicitly reflected in Art. 41 GDPR, others derive from EDPB guidelines and years of good practices.
Article 41.2 GDPR
(2) A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
(a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
For a better practical understanding of these abstract requirements, following some explanations:
Any trusted monitoring requires its key and core elements to be independent. Consequently, also GDPR requires independence for accredited Monitoring Bodies, Art. 41.1 (a). This requirement is demanding as it covers multiple dimensions which need to be addressed appropriately. First of all, there are legal implications relating to inappropriate influence on the monitoring system by corporate relationships or contractual agreements (legal independence). Furthermore, there are implications on the funding mechanisms of a Monitoring Body (financial independence). Especially a private Monitoring Body must resolve the seemingly contradiction of being industry-funded but not inappropriately dependent by such industry-funding. Another challenging dimension relates to the staff (personal independence), as a Monitoring Body must provide sophisticated measures to prevent conflicts of interest.
Independence and procedures need to be complemented by “expertise in relation to the subject-matter” of the respective monitored Code of Conduct, Art. 41.2 GDPR. Expertise safeguards appropriate and evidence-based decisions and contributes that the Monitoring Body decides objectively, unbiased and on reasonable grounds on the related subject.
Procedures act as an umbrella to most of the requirements of a trusted monitoring; consequently, each accredited Monitoring Body needs to have appropriate procedures and governance structures in place. Documented procedures e.g. help aligning expectations for relevant stakeholders, being besides others industry and supervisory authorities, whilst at the same time transparently defining the binding framework of a Monitoring Body. Accordingly, procedures should relate to an active and effective monitoring of compliance (Assessment Procedures), and at the same time an adequate complaints handling (Complaint Procedures), which gives parties concerned the possibility to file a complaint against a Code infringement.
SCOPE Europe as Monitoring Body
For almost a decade, SCOPE Europe’s primary SRIW gathered essential experience in handling Codes of Conduct and acting as independent Monitoring Body, having successfully implemented and enforced Codes of Conduct in the field of data protection (pre-GDPR). SCOPE Europe was established to transfer this knowledge to the European level: Lessons learned whilst actively performing the role of a Monitoring Body as well as valuable discussions with Supervisory Authorities, regulators and key stakeholders helped us in our ambition to prepare ourselves in addressing the requirements of GDPR, for instance by adapting our own internal rules of procedures and processes to further enhance our independence, expertise and established procedures.
SCOPE Europe is appointed Monitoring Body of various Codes of Conduct developed under GDPR, worth mentioning e.g. the EU Cloud CoC. We look forward to collaborating with more initiatives to contribute to the appropriate application of GDPR with trustworthy Codes of Conduct and becoming an, individually, accredited and trusted Monitoring Body for each of those initiatives, once supervisory authorities have approved them pursuant Art. 40.5 GPDR.
Need a Monitoring Body or consulting partner?
With the adoption of GDPR in full swing, developing Codes of Conduct becomes increasingly popular among companies and organizations implementing the new privacy regime. When addressing a trusted and independent monitoring scheme, SCOPE Europe is happy to help with all of its experience as a Monitoring Body. Please feel free to contact us and also check the FAQ about Monitoring Bodies, clarifying on common misunderstandings related to costs, complexities and others.