What guidelines do the GDPR industry codes provide?

What guidelines do the GDPR industry codes provide?

Krzysztof Grabowski, Data Protection Officer
What guidelines do the GDPR industry codes provide?
GDPR industry codes of conduct are sets of guidelines on the application of GDPR provisions in specific sectors. What key elements do these documents consist of?

Nowadays, nearly 30 GDPR industry codes have been drafted or are being drafted in Poland, but so far none of them has been yet adopted.

Learn more: GDPR industry codes of conduct

On the basis of the already drafted industry codes of conduct which are compliant with Article 40 of the GDPR, it is possible to distinguish the typical issues which such documents address.

Grounds for personal data processing

The first core element of the GDPR industry codes are the grounds for personal data processing. Their specification, together with an explanation of the purposes and situations in which they may be used, will provide standardisation and facilitation for Personal Data Controllers operating in a given industry. Some codes also contain scopes of data processing and conditions for obtaining consent from natural persons for data processing.

Obligations of the personal data controller

The elements which are essential to create a complete code are also the duties and principles of data processing by the personal data controller. The authors of the codes pay great attention to the information obligations, rights of natural persons and principles of personal data processing specified in Article 5 of the GDPR.

Some codes also address the issue of fees and the issue of informing about the exercised rights of natural persons, which constitutes an additional facilitation for controllers. This information is well known to controllers who have implemented solutions meeting the requirements of the GDPR. Data entrustment agreements, assessing the impact on the personal data protection, dealing with data infringements and data profiling are also elements which frequently appear in the industry codes.

Templates of documents

The authors of the codes have also decided to include templates of the indispensable documents (in the form of annexes). The documents prepared so far include, inter alia, the following templates:

  • data entrustment agreements,
  • risk analysis,
  • contents of information obligations,
  • contents of consents,
  • IT standards and safeguards used as technical and organisational security measures,
  • authorisations for personal data processing.

The codes also contain a number of provisions tailored to specific industries, e.g., on video surveillance, processing of data of juveniles or procedures to be followed when entrusting data to an outsourcing company.

Implementation of the provisions of the GDPR industry code

At the end of each code, organisational matters related to changes and their approval are described. This section also contains instructions for controllers on how to implement the code in the organisation. In most cases, the first step of implementation is a filing of a formal application followed by an audit, according to the methodology contained in a particular code. If verified positively, the controller will be listed as one of the entities following the provisions of the code.

Personal data protection

Contact our expert