SCOPE Europe and its primary Selbstregulierung Informationswirtschaft have been confronted with several interpretations, stakeholders’ needs and also misunderstandings over time. Following a selection of most frequent questions related to the monitoring under GDPR.
Most frequently asked questions about Monitoring Bodies under GDPR
No - the GDPR and the related guidelines of the European Data Protection Board (EDPB) are absolutely clear in this respect: an approved Code of Conduct must be overseen by an accredited Monitoring Body. However, there still is a high grade of flexibility when it comes to the actual implementation of the monitoring; e.g. related to the actual monitoring scheme looks (frequence, type and and scope of assessments) or the appropriate actions for a Monitoring Body to impose in case of infringements as those aspects highly depend on the exact provisions of the respective Code of Conduct.
No - here again the guidelines of the EDPB are very helpful, stating that "a monitoring body may be accredited for more than one code provided it satisfies the requirements for accreditation". De-facto, this means organizations developing a Code of Conduct can contract established Monitoring Bodies and, given all legal requirements are met, use the infrastructure of an already existing Monitoring Body in order to safe administrative and organizational costs and resources.
This depends. Each Code of Conduct is different, so that the respective monitoring schemes will differ accordingly. But there is good news for SMEs: GDPR particularly highlights the specific needs of micro, small and medium-sized companies (SME) when it comes to Codes of Conduct. Against this background it is possible – and even recommended – take the needs of SMEs into strong consideration when designing the monitoring of a Code of Conduct, e.g. by keeping costs and other resources comparably low for companies adhering to the Code, especially SMEs.
Not necessarily. Based on our experience, an early involvement in the actual drafting process of a Code of Conduct can enhance the proper reflection of monitoring requirements in the actual Code provisions, which can save time and costs in the long run (Monitoring by Design). Especially if you have a specific need to minimize costs, interlinks during the development are recommended. Otherwise, conflicting expectations on the monitoring and related costs may require adjustments to your provisions. This may be time-consuming, costly and even jeopardize your approval and initiative as such. Once your Code of Conduct has been approved, amendments are possible at all time but will require the approval of your supervisory authority to become effective. Depending on the adjustments required to minimize costs of your initiative, supervisory authorities may re-evaluate your Code of Conduct avoidably critical.
Depending on your initiative’s background and experience it is, however, also possible to develop both the Code of Conduct’s provisions and the related monitoring scheme yourself.
Yes, it is a requirement for both - national and transnational Codes of Conduct.
By engaging an existing Monitoring Body, you can safe efforts on building up an appropriate and independent infrastructure and gathering sufficient expertise and knowledge by your own, but you can focus on the content-related needs of your Code of Conduct. Besides, monitoring of Codes of Conduct is accessible for scalability, so engaging existing Monitoring Bodies enables your initiative to make use of all the related benefits of scaled businesses. Furthermore, this at least applies to SCOPE Europe, existing Monitoring Bodies may enhance the credibility of your project. SCOPE Europe, as well as its primary Selbstregulierung Informationswirtschaft, only engage with initiatives that we consider credible. This rigorous attitude may potentially positively influence your initiative as you can refer to an independent Monitoring Body that uncompromisingly strives for trust not only into Codes of Conduct and its related monitoring, but also for trust into modern regulation.
In May 2021, SCOPE Europe has received official accreditation to act as the dedicated Monitoring Body of the EU Cloud Code of Conduct, pursuant to Article 41 GDPR. Additionally, SCOPE Europe is engaged in the development of several other initiatives in the field of co-regulation and, therefore, intends to pursue further accreditations, continuously contributing to the proper enforcement of GDPR.
Do you have more questions?
You are still struggling with your initiative? You are still unsure about how to set-up a trusted monitoring? Or you are simply having any other questions: please feel free to contact us.