According to Article 40.1 of the EU General Data Protection Regulation (GDPR), the national supervisory authorities in the European Economic Area shall “encourage the drawing up of codes of conduct intended to contribute to the proper application” of the GDPR. A prerequisite for codes of conduct to be prepared by Swedish associations and bodies, which represent categories of personal data controllers or processors, is that the Swedish Data Protection Authority (IMY), pursuant to Art. 41 GDPR, has to establish the requirements that will apply to their accreditation bodies, the so-called supervisory bodies, which will be responsible in monitoring compliance with the code of conduct by the controllers or processors that undertake to apply it.
Following the IMY’s submission of accreditation requirements to the European Data Protection Board (EDPB) in 2022, the EDPB issued a statement on 11 July 2023 recommending certain changes to the draft requirements. The EDPB confirmed receipt of a new version from IMY and has now closed the file. IMY issued a decision on the applicable accreditation requirements on 7 September 2023 (see here, in Swedish only).
In summary, a body must meet certain requirements in the following areas to obtain accreditation:
- Conflicts of interests
- Proceedings and structures
- Handling of complaints
- Communication with the supervisory authority (IMY)
- Mechanisms for oversight of the code of conduct
- Legal standing
While obtaining accreditation and establishing codes of conduct may involve complex assessments and considerations, implementing codes of conduct may decrease the costs of GDPR compliance for organizations. In addition, codes of conduct enable trade associations and other interest groups to assess which considerations and technical and organizational security measures are of specific relevance to their sector.