The GDPR requires in its Article 46 GDPR that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 GDPR for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (Article 40(3) GDPR and Article 46(2)(e) GDPR). In this respect, as provided by Article 40(3) GDPR, once approved by the competent supervisory authority and having been granted general validity within the Union by the Commission, a code of conduct may be adhered to and used by controllers or processors not subject to the GDPR located in third countries for the purpose of providing appropriate safeguards to data transferred to third countries. Such controllers and processors are required to make binding and enforceable commitments, via contractual or other legally binding instruments, to apply the appropriate safeguards provided by the code including with regard to the rights of data subjects as required by Article 40(3) GDPR. The guidelines provide elements that should be addressed in such commitments.
It should also be noted that a code intended for transfers adhered to by a data importer in a third country can be relied on by controllers/processors subject to the GDPR (i.e. data exporters) for complying with their obligations in case of transfers to third countries in accordance with the GDPR without the need for such controllers/processors to adhere to such code themselves.
In terms of content of a code intended for transfers and for the purpose of providing appropriate safeguards in the meaning of Article 46 GDPR, a code of conduct should address the essential principles, rights and obligations arising under the GDPR for controllers/processors but also the guarantees that are specific to the context of transfers (such as with respect to the issue of onward transfers, conflict of laws in the third country). In light of safeguards provided by existing transfer tools under Article 46 GDPR and to ensure consistency in the level of protection, as well as taking into account the CJEU Schrems II ruling, the guidelines provide a check-list of the elements to be covered by a code of conduct intended for transfers.
A code of conduct may originally be drawn up only for the purpose of specifying the application of the GDPR in accordance with Article 40(2) GDPR or also as a code intended for transfers in accordance with Article 40(3) GDPR. As a consequence, depending on the original scope and content of the code, it may need to be amended in order to cover all of the above-mentioned elements if it is to be used as a tool for transfers.
These guidelines, which complement the EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, provide clarification as to the role of the different actors involved for the setting of a code to be used as a tool for transfers and the adoption process with flow charts.