The Dutch Data Protection Authority (AP) has recently approved the “Data Pro Code”, the first code of conduct approved by the Dutch DPA under the GDPR. The code was drafted by industry trade association of the Dutch digital sector, NLdigital, composed of 600 members, including SMEs and tech giants, and is intended to help companies in the ICT sector to comply with the obligations laid down in the EU privacy regulation.
Who and why
The code is aimed specifically at SME sized IT companies acting as data processors. However, any company can obtain certification by complying with the code, which is an elaboration of the obligations for processors in Article 28 GDPR and applies to processing activities in the Netherlands.
The Code of Conduct focuses on:
- informing about the security measures taken
- the review, evaluation and adjustment of the security measures
- the content of the processing agreement
- the handling of the rights of data subjects
- the handling of data breaches
The code includes the "Data Pro Statement", which can be used to inform prospects and customers about data protection safeguards. Well-known privacy lawyer and IAPP Country Leader for the Netherlands Jeroen Terstegge stated that the statement can be used by SMEs as a standard set of “approved” clauses for their data processing agreements (DPAs). In theory, it should make it easier to contract with smaller processor entities. On the other hand, he stressed that some (larger) controllers might be reluctant to sign agreements under the terms stipulated by the code, especially when they already have established compliance programs and DPAs.
Since the initial introduction of the code in May 2019, dozens of companies have been certified. Still required for making the code of conduct operational is the appointment of an independent supervisory body by the association. This supervisor will not only monitor compliance with the code, but will also assess whether affiliated parties are eligible to apply, handle complaints and investigate violations. Thereafter, the AP needs to assess and accredit the supervisor. The AP has drawn up accreditation criteria for this supervisory function and submitted them to the EDPB for approval and an answer is expected before the end of the year.
In related news, the UK Data Protection Authority (ICO) has published an accountability framework on the 9th of September 2020, which has been designed to support organisations to identify the right steps and actions to improve their compliance. The framework outlines 10 categories for how companies can demonstrate accountability, providing key expectations and ways to achieve them for each category.
What the future may hold
With the international transfer of personal data under scrutiny since the Schrems II case, codes of conduct might have an additional use in the future. Article 40 of the GDPR stipulates that, once approved by the European Commission, these codes might be used as a transfer mechanism - possibly being able to replace the invalidated PrivacyShield and troublesome SCCs. With several codes of conduct currently sitting with the AP and other national supervisors, it remains to be seen if they will be able to not only help SMEs with privacy accountability, but might also have a future part to play in solving issues regarding international data transfers.