Business organisations or entities representing a sector may voluntarily develop codes to help their sector comply with the GDRP.
Associations and other bodies representing specific categories of controllers or processors may develop or amend codes of conduct to clarify and facilitate the correct implementation of the GDPR provisions within their sector.
These draft codes, amendments or extensions must be submitted to the supervisory authority for an opinion on the GDPR. The authority will then decide whether to approve them if it considers that they provide adequate safeguards.
The procedure for approving a national code is described on the DPA website.
The Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies, issued by the European Data Protection Board (‘EDPB’) under Regulation 2016/679, may also be helpful in this regard.
If the project is approved, the supervisory authority will register and publish the code unless the project involves processing activities in several Member States.
In the latter case, the supervisory authority must submit the project to the EDPB before it can be approved. If the EDPB submits a positive opinion to the European Commission, the latter may declare the approved code of conduct, amendment or extension to be generally applicable in the European Union.
According to the information available on the website of the President of the Office for Personal Data Protection (‘POPDP’), this body has approved the following:
The Code of Conduct for the protection of personal data processed in small medical establishments (Zielonogórskie Agreement, 14 December 2022);
The Code of Conduct for the healthcare sector (Polish Hospital Federation, 11 December 2023).
Komentarz do art. 40
Codes of conduct
Associations and other bodies representing specific categories of controllers or processors may develop or amend codes of conduct to clarify and facilitate the correct implementation of the GDPR provisions within their sector.
These draft codes, amendments or extensions must be submitted to the supervisory authority for an opinion on the GDPR. The authority will then decide whether to approve them if it considers that they provide adequate safeguards.
The procedure for approving a national code is described on the DPA website.
The Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies, issued by the European Data Protection Board (‘EDPB’) under Regulation 2016/679, may also be helpful in this regard.
If the project is approved, the supervisory authority will register and publish the code unless the project involves processing activities in several Member States.
In the latter case, the supervisory authority must submit the project to the EDPB before it can be approved. If the EDPB submits a positive opinion to the European Commission, the latter may declare the approved code of conduct, amendment or extension to be generally applicable in the European Union.
According to the information available on the website of the President of the Office for Personal Data Protection (‘POPDP’), this body has approved the following:
The POPDP website also contains: