The Dutch Data Protection Authority (in Dutch: de Autoriteit Persoonsgegevens, hereinafter:
AP),
Whereas Article 41(1)of the General data Protection Regulation (GDPR) 2016/679 of
26 April 2016 states that compliance monitoring of approved codes of conduct may be
carried out by an impartial monitoring body which has an appropriate level of expertise
in relation to the subject-matter of the code and is accredited for that purpose by
the competent supervisory authority;
Whereas Article 41 (3) GDPR provides that the competent supervisory authority submits
the draft requirements for accreditation of a body referred to in paragraph 1 of this
Article to the Board pursuant to the consistency mechanism referred to in Article
63 and Article 64 (1) (c);
Whereas Article 57, opening lines and under p, GDPR, stipulates that each supervisory
authority is responsible for drawing up and publishing the requirements for the accreditation
of a body for the supervision of codes of conduct on the basis of Article 41 of the
GDPR;
Whereas Article 6 (2) of the Dutch General Data Protection Regulation Implementation Act (in Dutch: Uitvoeringswet Algemene verordening gegevensbescherming, hereinafter:
UAVG) stipulates that the AP is the supervisory authority referred to in Article 51
(1) of the GDPR;
Whereas the European Data Protection Board (EDPB) has adopted: Guidelines 1/2019 on
Codes of Conduct and Monitoring Bodies under Regulation 2016/679, in particular para
60;
Whereas the Guidelines 1/2019 set out a number of requirements which the proposed
monitoring body needs to meet in order to gain accreditation. In particular the following
requirements should be met:
-
− Demonstrate independence and expertise in relation to the subject matter of the code
as per Article 41(2)(a).
-
− Demonstrate established procedures which allow it to assess the eligibility of controllers
and processors concerned to apply the code, to monitor their compliance with its provisions
and to periodically review its operation as per Article 41(2)(b).
-
− Demonstrate established procedures and structures to handle complaints about infringements
of the code or the manner in which the code has been, or is being, implemented by
a controller or processor, and to make those procedures and structures transparent
to data subjects and the public as per Article 41(2)(c).
-
− Demonstrate to the satisfaction of the competent supervisory authority that its tasks
and duties do not result in a conflict of interest as per Article 41(2)(d).
Whereas the EDPB has adopted: ‘Opinion 07/2020 on the draft decision of the competent
supervisory authority of Netherlands regarding the approval of the requirement for
accreditation of a code of conduct monitoring body pursuant to article 41 GDPR’, adopted
on 23 July 2020.
Has on 23 February 2021 adopted the following decision on the accreditation requirements
for code of conduct monitoring bodies:
Accreditation requirements
By the present decision the AP encourages the development of codes of conduct for
micro, small and medium companies to foster a consistent implementation of the GDPR,
to increase legal certainty for controllers and processors and to strengthen the trust
of data subjects. The requirement for codes of conduct to be monitored by an accredited
monitoring body should not be an obstacle to the development of codes of conduct.
Therefore, the application of the accreditation requirements for monitoring bodies
should take into account the specificities of each sectors’ processing and should
be as flexible as possible while abiding by the legal framework imposed by the GDPR,
the Guidelines 01/2019 and the relevant Opinions of the EDPB.
The AP reserves the right to conduct a risk-based review of the monitoring body to
ensure that the body still meets the requirements for accreditation. Such a review
could be initiated by (but is not limited to): amendments to the code of conduct,
substantial changes to the monitoring body or the monitoring body failing to deliver
its monitoring functions. In case of substantial changes to the monitoring body relating
to the monitoring body’s ability to function independently and effectively, such a
review will always be conducted.
The monitoring body will retain its accreditation status unless the outcome of this
review concludes that the requirements for accreditation are no longer met.
The introduction of a new or additional monitoring body for a code of conduct will
require the new body to be assessed in line with the accreditation criteria.
The requirements listed in this document shall apply to a monitoring body regardless
of whether it is an internal or external body, unless the requirement states otherwise.
Explanatory note:
The requirements below aim to ensure that the monitoring body can deliver its monitoring
activities in an impartial manner, identifying situations that are likely to create
a conflict of interest and taking steps to avoid them.
It will be for the monitoring body to explain the approach to safeguard impartiality
and to evidence the mechanisms to remove or mitigate these risks as appropriate. Examples
of sources of risks to impartiality of the monitoring body could be based on ownership,
governance, management, personnel, shared resources, finances, contracts, outsourcing,
training, marketing and payment of sales commission.
An example of a conflict of interest situation would be the case where personnel conducting
audits or making decisions on behalf of a monitoring body had previously worked for
any of the organisations adhering to the code. In order to avoid any conflict of interest,
the personnel would declare their interest and the work would be reallocated.
Requirements:
-
5.1. The monitoring body shall have in place a documented procedure to identify, analyse,
evaluate, treat, monitor and document on an ongoing basis any risks to impartiality
arising from its activities. The monitoring body personnel shall undertake to comply
with these requirements and to report any situation likely to create a conflict of
interest. The monitoring body shall refrain from any action incompatible with its
tasks and duties.
-
5.2. The monitoring body shall choose or direct and manage its personnel. This could be
demonstrated by providing evidence which includes job descriptions, personnel records,
recruitment personnel resource allocations and line management arrangements.
Staff can be provided by another body independent of the code. An example of staff
provided by a body independent of the code would be monitoring body personnel that
have been recruited by an independent external company, which provides recruitment
and human resources services.
-
5.3. The monitoring body shall ensure that it does not seek or take instructions from any
person, organisation or association and shall remain free from external influence.
-
5.4. The monitoring body shall be protected from sanctions or interference by the code
owner, other relevant bodies or members of the code.