Search for:

In brief

According to Article 40.1 of the EU General Data Protection Regulation (GDPR), the national supervisory authorities in the European Economic Area shall “encourage the drawing up of codes of conduct intended to contribute to the proper application” of the GDPR. A prerequisite for codes of conduct to be prepared by Swedish associations and bodies, which represent categories of personal data controllers or processors, is that the Swedish Data Protection Authority (IMY), pursuant to Art. 41 GDPR, has to establish the requirements that will apply to their accreditation bodies, the so-called supervisory bodies, which will be responsible in monitoring compliance with the code of conduct by the controllers or processors that undertake to apply it.

Following the IMY’s submission of accreditation requirements to the European Data Protection Board (EDPB) in 2022, the EDPB issued a statement on 11 July 2023 recommending certain changes to the draft requirements. The EDPB confirmed receipt of a new version from IMY and has now closed the file. IMY issued a decision on the applicable accreditation requirements on 7 September 2023 (see here, in Swedish only). 

In summary, a body must meet certain requirements in the following areas to obtain accreditation:

  • Independence
  • Conflicts of interests
  • Expertise
  • Proceedings and structures
  • Handling of complaints
  • Communication with the supervisory authority (IMY)
  • Mechanisms for oversight of the code of conduct
  • Legal standing
  • Sub-contractors


While obtaining accreditation and establishing codes of conduct may involve complex assessments and considerations, implementing codes of conduct may decrease the costs of GDPR compliance for organizations. In addition, codes of conduct enable trade associations and other interest groups to assess which considerations and technical and organizational security measures are of specific relevance to their sector.


Helena Engfeldt helps companies around the world expand their businesses internationally especially by taking privacy law compliance global. She is a partner in Baker McKenzie's International/Commercial Practice Group in San Francisco. She is licensed to practice law in California, New York and Washington.


Peder Oxhammar is Head of Baker McKenzie’s Intellectual Property Group in Stockholm. He has more than 15 years of experience in all aspects of intellectual property. Prior to joining Baker McKenzie in December 2012, he worked in private practice in one of Sweden's largest patent firms as well as in his own law firm. He has also worked in major pharmaceutical companies AstraZeneca and Novartis, managing multijurisdictional patent and trademark litigation worldwide.


William Höglund is a member of Baker McKenzie’s Intellectual Property and Data & Technology Practice Group in Stockholm. William joined the Firm as an associate in 2022. Prior to joining the Firm, he worked for a Swedish boutique law firm, focusing on insurance and data privacy / protection. He also has experience working as a data protection officer in the public sector.


Margarita Kozlov joined Baker McKenzie in 2016 and is a member of the Employment & Compensation Practice Group in Stockholm. She advises on a range of employment and data protection matters. She has also practiced at Baker McKenzie's office in London.

Write A Comment