Denmark: Datatilsynet publishes accreditation requirements for code of conduct monitoring body under the GDPR
The Danish Data Protection Authority ('Datatilsynet') issued, on 12 November 2020, its accreditation requirements for a code of conduct monitoring body under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Datatilsynet noted that a data protection code of conduct is a set of guidelines that specify the rules of the data protection regulation for a given industry and it can, for example, indicate how the rules should be handled in cases that are typical of the industry, or to establish a procedure for how to comply with the duty to provide information and other rights of data subjects.
Furthermore, the Datatilsynet outlined that codes of conduct may be created by associations or other bodies representing categories of data controllers and data processors such as industry organisations or associations, which typically have an in-depth knowledge of which processing of personal data is customary in the industries they represent and are familiar with the areas in which their members are most challenged in terms of complying with the rules of the GDPR.
Moreover, the Datatilsynet stipulated that a code of conduct that regulates how private bodies handle personal data must have an accredited control body which must, among other things, ensure that the data controllers and data processors who are connected to the code comply with the code's guidelines. Moreover, the Datatilsynet stated that, in order to be accredited, the inspection body must meet a number of requirements which are laid down in the GDPR, and the Datatilsynet must elaborate on these requirements and submit them to the European Data Protection Board ('EDPB').