Let us assume for a moment that we have a perfect code of conduct, the best that you could ever write, already approved, recorded and released by the supervisory authority, and so – at this point – you should only “hope” that itwill be adopted by users for which it was drawn.
Here, we imagine to own a document in this condition – and I say imagine because the Authority has not yet approved, registered and published any code under article 40
Our perfect ad immaginary code of conduct, ex art 40 para. 4, ” … shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it …”
A body as reffered above (ex art 41) may be accredited to monitor compliance with a code of conduct by the competent supervisory authority provided that specific requirements are met. The body, ex art 41, para. 2, shall have an adequate level of competence concerning the code and shall also:
(a) demonstrate its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) establish procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) establish procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public;
(d) demonstrate to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
The monitoring body may also, in the event of a breach of the code by a processor or controller proceed with appropriate measures including the suspension or exclusion from the code of the owner/processor; to do this, the accredited monitoring body, shall give information to the competent supervisory authority toghether with the measures adopted and the underlying reasons for these measures
The body is vigilated by the competent supervisory authority whic shall revoke the accreditation if the relevant conditions are not – or are no longer â€“ met, or where actions taken by the body infringe the Regulation
But why is it so important the monitoring of approved codes of conduct?
In my opinion, a successful monitoring can be the way in which the controller/pocessor may prove as required under articles 32, paragraph 24 and articles 24 paragraph 3
Unfortunately, up to date, there is no monitoring body operating yet, and this for two main reasons:
1) there isn’t a code approved, registered and published by the supervisory authority to the task;
2) The competent supervisory authority, up to date, hasn’t submit the draft criteria for accreditation of a body as referred to in art. 41 paragraph 1 to the Board .
So we only have to wait and see what will tell us the reality in the coming months!