The French data protection authority (‘CNIL’) released, on 7 February 2020, guidance and recommendations on codes of conduct and Binding Corporate Rules (‘BCRs’). In particular, the guidance on codes of conduct (‘the Codes of Conduct Guidance’) aims to help companies comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Furthermore, the guidance on BCRs (‘the BCRs Guidance’) aims to help companies create a policy on data transfers outside the EU.
Jérôme Sujkowski, IP & IT Associate at Ydès Avocats, told OneTrust DataGuidance, “BCRs and codes of conduct, used at a European level, are also soft power tools enabling the national supervisory authorities, submitting this type of project, to promote their national practice. [BCRs and Codes of Conduct] will serve as a necessary future reference with regard to, for example, retention periods or the form in which certain information will be provided to data subjects.”
What is the effect of the BCR Guidance on data controllers and subcontractors?
Moreover, the BCRs Guidance highlights that BCRs allow companies to effectively supervise transfers of data outside the EU, while also providing an intra-organisational global compliance mechanism. In addition, the BCRs Guidance notes that BCRs are strongly connected to the principle of accountability, as enshrined in the GDPR, considering that BCRs introduce a general responsibility to take practical organisational and technical measures.
Sujkowski further highlighted, “[BCRs] will become a stable and reassuring legal tool for large groups, while the European Commission’s Standard Contractual Clauses and the EU-US Privacy Shield are threatened by various legal actions. [In light of this], such a legal tool is particularly useful, as CNIL points out, in the event of decentralisation or splintering of an organisation’s human resources departments.”
How might codes of conduct develop in light of evolving recommendations?
Furthermore, the Codes of Conduct Guidance indicates that codes of conduct can constitute a tool which demonstrates accountability and responds to the needs of different sectors to comply with the GDPR. In addition, it notes that, while codes of conduct take into account the provisions of the GDPR, they could eventually integrate recommendations beyond it.
Sujkowski stated, “If [codes of conduct] must necessarily comply with the GDPR, how can we imagine that they do not also comply with local law […] and also with CNIL’s doctrine, which is different from that of other supervisory authorities? Thus, will a code of conduct on cookies be able to depart from CNIL’s cookies recommendations, which are currently being adopted? Finally, a national code of conduct will lose its influence if a European code of conduct is adopted.”
What is the key piece of advice for companies drafting BCRs and codes of conduct?
Finally, the Codes of Conduct Guidance covers, among other things, key information about codes of conduct, their approval, and what companies should include in them. In addition, the BCRs Guidance includes information on the reasons behind BCRs implementation, the submission of draft BCRs to supervisory authorities, and how they can be prepared. Further to the same, CNIL launched an online tool to enable companies to submit draft BCRs, while the online tool for codes of conduct will be launched shortly.
Sujkowski concluded, “It is strongly recommended that both codes of conduct and BCRs be drawn up with the help of specialised and local legal advisors, which, in the immediate future, will increase costs of implementation but, in the long term, will participate in the harmonisation of European law on privacy.”
SOUZANA GEORGOPOULOU Privacy Analyst
Comments provided by:
JÉRÔME SUJKOWSKI IP & IT Associate