NL accreditation requirements for GDPR code of conduct monitoring bodies

The Dutch Data Protection Authority (in Dutch: de Autoriteit Persoonsgegevens, hereinafter: AP),

Whereas Article 41(1)of the General data Protection Regulation (GDPR) 2016/679 of 26 April 2016 states that compliance monitoring of approved codes of conduct may be carried out by an impartial monitoring body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority;

Whereas Article 41 (3) GDPR provides that the competent supervisory authority submits the draft requirements for accreditation of a body referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63 and Article 64 (1) (c);

Whereas Article 57, opening lines and under p, GDPR, stipulates that each supervisory authority is responsible for drawing up and publishing the requirements for the accreditation of a body for the supervision of codes of conduct on the basis of Article 41 of the GDPR;

Whereas Article 6 (2) of the Dutch General Data Protection Regulation Implementation Act (in Dutch: Uitvoeringswet Algemene verordening gegevensbescherming, hereinafter: UAVG) stipulates that the AP is the supervisory authority referred to in Article 51 (1) of the GDPR;

Whereas the European Data Protection Board (EDPB) has adopted: Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, in particular para 60;

Whereas the Guidelines 1/2019 set out a number of requirements which the proposed monitoring body needs to meet in order to gain accreditation. In particular the following requirements should be met:

Whereas the EDPB has adopted: ‘Opinion 07/2020 on the draft decision of the competent supervisory authority of Netherlands regarding the approval of the requirement for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR’, adopted on 23 July 2020.

Has on 23 February 2021 adopted the following decision on the accreditation requirements for code of conduct monitoring bodies:

By the present decision the AP encourages the development of codes of conduct for micro, small and medium companies to foster a consistent implementation of the GDPR, to increase legal certainty for controllers and processors and to strengthen the trust of data subjects. The requirement for codes of conduct to be monitored by an accredited monitoring body should not be an obstacle to the development of codes of conduct. Therefore, the application of the accreditation requirements for monitoring bodies should take into account the specificities of each sectors’ processing and should be as flexible as possible while abiding by the legal framework imposed by the GDPR, the Guidelines 01/2019 and the relevant Opinions of the EDPB.

The AP reserves the right to conduct a risk-based review of the monitoring body to ensure that the body still meets the requirements for accreditation. Such a review could be initiated by (but is not limited to): amendments to the code of conduct, substantial changes to the monitoring body or the monitoring body failing to deliver its monitoring functions. In case of substantial changes to the monitoring body relating to the monitoring body’s ability to function independently and effectively, such a review will always be conducted.

The monitoring body will retain its accreditation status unless the outcome of this review concludes that the requirements for accreditation are no longer met.

The introduction of a new or additional monitoring body for a code of conduct will require the new body to be assessed in line with the accreditation criteria.

The requirements listed in this document shall apply to a monitoring body regardless of whether it is an internal or external body, unless the requirement states otherwise.

1. Independence

Explanatory note:

The monitoring body shall demonstrate its independence and impartiality. The monitoring body shall demonstrate how its structure and its formal rules of appointment guarantee that it is able to act freely from instructions and that it shall be protected from any sort of interference or sanctions from the code members or the code owner as a consequence of the fulfilment of its tasks.

The requirements below set out what constitutes independence. This needs to be demonstrated within four main areas: legal and decision making procedures, financial, organisational and accountability. Independence for a monitoring body can be understood as a series of formal rules and procedures for the appointment, terms of reference and operation of the monitoring body. These rules and procedures will allow the monitoring body to perform its monitoring tasks without influence from members of the code or its code owner.

Monitoring bodies wills be structured and managed to safeguard their independence and impartiality and will be required to demonstrate this to the AP in their submission.

Internal bodies shall be required to provide evidence to ensure that the independence of their monitoring activities are not compromised.

Requirements:

1.1. Legal and decision-making procedures

1.2. Financial

1.3. Organisational

1.4. Accountability

2. Expertise

Explanatory note:

The requirements below aim to ensure that the monitoring body possesses adequate competencies to undertake effective monitoring of a code. More detailed expertise requirements will be defined in the relevant code itself. Code specific requirements will be dependent upon such factors as: the size of the sector concerned, the different interests involved and the risks of the processing activities. These code specific requirements will be considered as part of the accreditation.

In order for a monitoring body to meet the expertise requirements, it will need to demonstrate that its personnel have the required knowledge and experience in relation to the sector, processing activity, data protection legislation and auditing, in order to carry out compliance monitoring in an effective manner. This could be demonstrated to the AP with evidence that includes: personnel job descriptions, specification requirements, qualifications, required or relevant experience, published reports etc.

Requirements:

3. Established procedures and structures

Explanatory note:

The requirements below aim to ensure that the proposals for monitoring are operationally feasible, by specifically outlining the monitoring process and demonstrating how it will deliver the code’s monitoring mechanism.

The monitoring body will need to demonstrate to the AP established procedures, structures and resources to assess the eligibility of controllers/processors to apply the code, monitor compliance with the code and to carry out periodic reviews of the code’s operation.

Monitoring procedures must take into account the risk raised by the data processing, complaints received and the expected number and size of code members. These procedures could lead to the publication of monitoring information including audit or summary reports or periodic outcomes reporting of findings.

The monitoring body shall apply the corrective measures and penalties as defined in the code of conduct.

Requirements:

4. Transparent complaints handling

Explanatory note:

Transparent and publicly available procedures and structures to handle complaints in relation to code members from different sources are an essential element for code monitoring. This process will be sufficiently resourced and managed and personnel will demonstrate adequate (sufficient to the need) knowledge and impartiality.

In order to meet these requirements the monitoring body will need to provide evidence of a documented, independent, and transparent complaints handling process to receive, evaluate, track, record and resolve complaints within a reasonable time frame.

Where appropriate, information concerning the monitoring body’s decision will be provided to all concerned within a period not exceeding three months.

Requirements:

4. Complaints about code members

5. Conflict of interest

Explanatory note:

The requirements below aim to ensure that the monitoring body can deliver its monitoring activities in an impartial manner, identifying situations that are likely to create a conflict of interest and taking steps to avoid them.

It will be for the monitoring body to explain the approach to safeguard impartiality and to evidence the mechanisms to remove or mitigate these risks as appropriate. Examples of sources of risks to impartiality of the monitoring body could be based on ownership, governance, management, personnel, shared resources, finances, contracts, outsourcing, training, marketing and payment of sales commission.

An example of a conflict of interest situation would be the case where personnel conducting audits or making decisions on behalf of a monitoring body had previously worked for any of the organisations adhering to the code. In order to avoid any conflict of interest, the personnel would declare their interest and the work would be reallocated.

Requirements:

6. Communication with the AP

Explanatory note:

The section below sets out the information the monitoring body will provide to the AP. These include information concerning any suspension or exclusion of code members and any substantial changes to its own status.

It is envisaged that suspension or exclusion of code members will only apply in serious circumstances and code members would first have the opportunity to take suitable corrective measures as appropriate and agreed with the monitoring body.

Any substantial changes relating to the monitoring body’s ability to function independently and effectively, its expertise and any conflict of interests could result in a review of its accreditation.

Requirements:

7. Code review mechanisms

Explanatory note:

Monitoring bodies have a key role in contributing to the review of the code in conjunction with the code owner. As a result of a code review, amendments or extensions to the code may be made by the code owner.

Requirements:

8. Legal status

Explanatory note:

The monitoring body may be set up or established in a number of different ways, for example limited companies or trade associations. However the overarching principle is that whatever form the monitoring body takes, it must demonstrate sufficient financial and other resources to deliver its specific duties and responsibilities. The existence of sufficient financial and other resources should be accompanied with the necessary procedures to ensure the functioning of the code of conduct over time. The monitoring body will therefore have to provide evidence to the AP of its legal status.

Fines could be administered for a monitoring body failing to deliver its monitoring functions and failing to take appropriate action when code requirements are infringed. A monitoring body will therefore demonstrate that it has the appropriate standing to carry out its role under GDPR Article 41(4).

Requirements:

9. Subcontractors

Explanatory note:

Monitoring bodies could engage subcontractors. The requirements below set out the relevant safeguards for engaging subcontractors.

In order to demonstrate these safeguards the monitoring body will need to provide documented evidence.

Requirements: