Sweden: IMY establishes requirements for supervisory bodies of codes of conduct
On September 7, 2023, the Swedish data protection authority (IMY) published its Decision No. IMY-2022-6945, as issued on the same date, in which it determined the requirements that bodies tasked with monitoring compliance with codes of conduct must meet in order to be accredited under Article 41(2) of the General Data Protection Regulation (GDPR). In particular, the IMY notes that the decision aims to implement the European Data Protection Board's (EDPB) Guidelines 1/2019 on codes of conduct and supervisory bodies under the GDPR.
The IMY outlined that a code of conduct can be a useful tool for personal data controllers to demonstrate compliance with the requirements of the GDPR, and may be used to determine requirements and protective measures appropriate for personal data processing in certain sectors and industries. Accordingly, the IMY considered that the approval of codes of conduct by supervisory authorities would ensure compliance with the provisions of the GDPR. Further, the IMY stipulated that the supervisory authorities' monitoring does not replace the IMY's power to take action in the event of a suspected violation of the GDPR.
Nonetheless, the IMY clarifies that for a code of conduct to be approved by a competent supervisory authority or the EDPB, it must contain mechanisms for monitoring by an independent supervisory authority. Specifically, for a monitoring body to be accredited by a competent supervisory authority, the monitoring body must:
- demonstrate its independence and expertise in relation to the purpose of the code of conduct in a manner the IMY finds satisfactory;
- establish procedures by which it can assess the suitability of the relevant data controllers and data processors that apply to the code of conduct;
- establish procedures and structures to deal with complaints about breaches of the code of conduct or the way in which it is applied or has been applied by a controller or processor; and
- demonstrate that its duties and tasks do not lead to a conflict of interest.