Nowadays, nearly 30 GDPR industry codes have been drafted or are being drafted in Poland, but so far none of them has been yet adopted.
Learn more: GDPR industry codes of conduct
On the basis of the already drafted industry codes of conduct which are compliant with Article 40 of the GDPR, it is possible to distinguish the typical issues which such documents address.
The first core element of the GDPR industry codes are the grounds for personal data processing. Their specification, together with an explanation of the purposes and situations in which they may be used, will provide standardisation and facilitation for Personal Data Controllers operating in a given industry. Some codes also contain scopes of data processing and conditions for obtaining consent from natural persons for data processing.
The elements which are essential to create a complete code are also the duties and principles of data processing by the personal data controller. The authors of the codes pay great attention to the information obligations, rights of natural persons and principles of personal data processing specified in Article 5 of the GDPR.
Some codes also address the issue of fees and the issue of informing about the exercised rights of natural persons, which constitutes an additional facilitation for controllers. This information is well known to controllers who have implemented solutions meeting the requirements of the GDPR. Data entrustment agreements, assessing the impact on the personal data protection, dealing with data infringements and data profiling are also elements which frequently appear in the industry codes.
The authors of the codes have also decided to include templates of the indispensable documents (in the form of annexes). The documents prepared so far include, inter alia, the following templates:
The codes also contain a number of provisions tailored to specific industries, e.g., on video surveillance, processing of data of juveniles or procedures to be followed when entrusting data to an outsourcing company.
At the end of each code, organisational matters related to changes and their approval are described. This section also contains instructions for controllers on how to implement the code in the organisation. In most cases, the first step of implementation is a filing of a formal application followed by an audit, according to the methodology contained in a particular code. If verified positively, the controller will be listed as one of the entities following the provisions of the code.
Personal data protection
Contact our expert