1. Home
  2. Legislation
  3. EU Legislation
  4. General Data Protection Regulation
  5. CHAPTER IV – Controller and processor
  6. Section 5 – Codes of conduct and certification
  7. Article 41 – Monitoring of approved codes of conduct
Searching...
EDPB - Statement 02/2022 on personal data transfers to the Russian Federation
12 Jul. 2022
Statement 02/2022
Download document
EDPB - EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space
12 Jul. 2022
EDPB-EDPS Joint Opinion 03/2022
Download document
EDPB - CSC Work Programme 2022-2024
6 Jul. 2022
CSC Work program 2022-2024
Download document
EDPB - Opinion 11/2022 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 11/2022
Download document
EDPB - Opinion 12/2022 on the draft decision of the competent supervisory authority of France regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 12/2022
Download document
EDPB - Opinion 13/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 13/2022
Download document
EDPB - Opinion 14/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 14/2022
Download document
EDPB - Opinion 15/2022 on the draft decision of the competent supervisory authority of Luxembourg regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 15/2022
Download document
EDPB - Opinion 16/2022 on the draft decision of the competent supervisory authority of Slovenia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 16/2022
Download document
CJEU – Ligue des droits humains v Conseil des ministres – C-817/19
21 Jun. 2022
Ligue des droits humains
EDPB - Response to EDRi regarding the structural and procedural enforcement of the GDPR and its work to promote and safeguard data protection
14 Jun. 2022
EDPB GDPR Enforcement Letter
Download document
EDPB - Response of the EDPB to the European Commission's targeted consultation on a digital euro
14 Jun. 2022
EDPB Digital Euro Letter
Download document
EDPB - Guidelines 07/2022 on certification as a tool for transfers - Version 1.0
14 Jun. 2022
Guidelines 07/2022
Download document
EDPB - EDPB response to the joint payments industry regarding the Guidelines on the interplay of Second Payment Services Directive (PSD2) and GDPR
12 May. 2022
EDPB Guidelines PSD2 and GDPR Letter
Download document
EDPB - Guidelines 06/2022 on the practical implementation of amicable settlements - Version 2.0
12 May. 2022
Guidelines 06/2022
Download document

Article 41 – Monitoring of approved codes of conduct

Paragraph 1

Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

Paragraph 2

A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

  1. demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
  2. established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
  3. established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
  4. demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

Paragraph 3

The competent supervisory authority shall submit the draft requirements for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.

Paragraph 4

Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

Paragraph 5

The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

Paragraph 6

This Article shall not apply to processing carried out by public authorities and bodies.

As corrected by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679) with regard to paragraphs 3 and 5 of this article.

References

  • GDPR references
  • Fines
  • Recitals
  • Directive 95/46/EC
  • SA
  • Case-law

Infringements regarding the obligations of the monitoring body pursuant to paragraph 4 of this article shall, in accordance with Article 83(2), be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

No GDPR recitals available for this article.

Article 27
1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.
2. Member States shall make provision for trade associations and other bodies representing other categories of controllers which have drawn up draft national codes or which have the intention of amending or extending existing national codes to be able to submit them to the opinion of the national authority.
Member States shall make provision for this authority to ascertain, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives.
3. Draft Community codes, and amendments or extensions to existing Community codes, may be submitted to the Working Party referred to in Article 29. This Working Party shall determine, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives. The Commission may ensure appropriate publicity for the codes which have been approved by the Working Party.