Support Centre

Spain: AEPD's assessment of codes of conduct - lessons to be learnt

Beyond widely known and discussed, codes of conduct may set the rules and procedures for specific sectors in relation to data protection. Roger Vilanova Jou, Lawyer at Crowe Legal y Tributario S.L.P., discusses codes of conduct within the context of the Spanish data protection authority's ('AEPD') unfavourable report of one such code and what can be learnt from this development.

DNY59 / istockphoto.com / Signature collection

Even though codes of conduct were already foreseen and adopted according to previous data protection legislation1, they have emerged as a valid and useful tool to enable the implementation of current personal data protection regulations based on accountability and a risk-based approach.

For those less familiar with codes of conduct2, they are self-regulatory mechanisms aimed at facilitating voluntary compliance with personal data protection regulations, based on the adoption of specific rules for certain categories of data controllers or processors.

Indeed, it comes as no surprise that the adoption of codes of conduct has been encouraged for its benefits to all parties involved: on the one hand, to allow authorities to gain a better understanding and knowledge of the data processing activities of a specific industry or sector3; and, on the other hand, to be able to demonstrate compliance with personal data protection obligations4.

So, what must be taken into account for the successful adoption of a code of conduct in Spain? What are the requirements for its proposal to be accepted? Last March, the AEPD issued an unfavourable report for the approval of the code of conduct for the infomediary sector, presented by the Multisectorial Association of Information ('ASEDIE')5, in which it provides answers to these and other questions related to the approval of a code of conduct and the data processing by the infomediary sector.

The requirements for the approval of a code of conduct

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') does not identify a minimum content for codes of conduct6, unlike other Spanish legislations7, but rather presents, by way of illustration, a series of subjects that may be covered, such as fair and transparent processing, pseudonymisation, or international data transfers.

Among the criteria for the approval of codes of conduct, as the Article 29 Working Party has noted in the past8, there is a key point: clarity and internal consistency in order to provide real added value, in the terms subsequently developed by the European Data Protection Board ('EDPB') with its Guidelines 1/2019 ('the Guidelines'):

  • the code meets a particular need of that sector or processing activity, with the proposed solutions being beneficial not only to controllers and processors but also to those affected;
  • it enables the implementation of the GDPR by identifying specific needs or key data protection challenges;
  • specifies the implementation of the GDPR, focusing on the problems of the sector and providing added value, without merely reproducing the precepts of the GDPR;
  • it adopts realistic, achievable, unambiguous, concrete, applicable, and verifiable standards and rules to be followed;
  • the code contains sufficient and effective safeguards to mitigate the risk involved in data processing, as well as to respect the rights and freedoms of individuals; and
  • it provides effective mechanisms for monitoring compliance with the code, both in terms of structures and procedures, with the existence of an accredited supervisory body being mandatory, except in the case of public authorities and bodies.

Specifically, the Guidelines present the admissibility requirements for a code of conduct, which are used by the AEPD as a reference to analyse the proposed code for the infomediary sector presented by ASEDIE, as set below, summarising AEPD's key takeaways:

REQUIREMENT

CONTENT

AEPD'S OBSERVATIONS

1. Explanatory statement and supporting documentation

Detailed, concise, and clear description of the purpose of the code, its scope and how it will facilitate the effective implementation of the GDPR, including supporting documentation and an explanatory memorandum.

 

The need for the code of conduct is justified in (1) the cover letter of the code, which refers to the special impact of data protection rules on the economic activities of companies in the information technology sector, and (2) the explanatory memorandum.

2. Representative

The code owners – who submit the code on behalf of the categories of controllers or processors on the basis of Article 40(2) GDPR – must demonstrate to the competent supervisory authorities ('SAs') that they are an effective representative body.

Although the association promoting the code meets the requirements of representativeness demanded by the GDPR, due to the interpretative complexity and speciality of the activity of the infomediary sector, the documentation provided to comply with the formal requirements of the application is not sufficient for the following reasons:

 

  • It would have been necessary for a justificatory report or similar document to be attached to facilitate a better understanding of the activities carried out, the processing of personal data involved, and the solutions proposed in the code;

 

  • It would have been advisable to accompany the consultations carried out or, where appropriate, to include their identification and the assessment made by the promoter of the code in the aforementioned report; and

 

  • For the proper assessment of certain cases, it would have been necessary to include the corresponding risk analysis and, where appropriate, a Data Protection Impact Assessment.

 

3. Processing scope

The draft code should have a defined scope that clearly and precisely identifies the operations or characteristics of the processing of personal data that it covers - including the issues that the code is intended to cover and the practical solutions it proposes - as well as the categories of controllers or processors to which it applies.

 

The code of conduct clearly and precisely identifies the processing of personal data to which it will be applicable, referring to the processing carried out by ASEDIE members as a consequence of the main activity that constitutes its business purpose, either as data controllers or data processors.

4. Territorial scope

The draft code should specify whether it is a national or transnational code and describe in detail its territorial scope, identifying all jurisdictions to which it is intended to apply. In the case of a transnational code, a list of the SAs concerned should also be included.

 

The code limits its application to the territorial scope of Spain exclusively, the competent authority for the approval of the code being the AEPD.

5. Submission to a competent SA

Code owners should ensure that the SA chosen to review a draft code is competent under Article 55 GDPR.

 

Duly complied with, no observations by the AEPD.

6. Oversight of mechanisms

The draft code should propose mechanisms to monitor compliance with the provisions of the code by stakeholders who commit themselves to its implementation.

To this end, it includes an annual code compliance form, which is configured as a tool that allows the code to be adapted to the social reality and the need for revision or modification. It also provides for audits and inspections to be carried out by the Monitoring Committee.

 

Overall positive assessment with the following related observations:

 

  • In many cases, the code reflects mere recommendations, which affects its binding nature.

 

  • The infringement of systematically collecting and processing data where none of the sources of lawfulness in Article 6(1) GDPR apply should be qualified as a serious infringement.

 

7. Monitoring body

A draft code affecting the processing activities of private organisations must also designate an accredited supervisory body in accordance with Article 41 GDPR and contain mechanisms to enable that body to carry out its functions.

 

A duly accredited Monitoring Commission is established as the supervisory body of the code.

8. Consultation

The draft code should contain information about the extent of stakeholder consultation. Code owners must also demonstrate that consultation has taken place at the appropriate level.

 

The GDPR also provides for the consultation, if possible, of data subjects themselves, as indicated in Recital 99.

It would have been necessary for the consultations to have been provided, or at least detailed in the supporting memorandum, which should also have been provided.

 

In the present case, taking into account the singularities of this code, derived from the use of information from public sources and the fact that it aims to establish presumptions of prevalence of the legitimate interest of those responsible or third parties over the interests, rights, and fundamental freedoms of those affected, it would have been necessary to consult those affected, at least through the main associations that represent them.

 

9. National legislation

Code owners should confirm that the draft code fully respects the relevant national legislation.

Overall positive assessment with the following related observations:

 

  • There is a breach of Article 11 of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD'), insofar as there is no information on profiling and the data subject's right to object.

 

  • The proposed model information clauses are mere examples without binding nature, which detracts from their added value and do not in all cases comply with the provisions of the GDPR and the LOPDGDD.

 

  • The model notification of inclusion of data relating to the breach of monetary, financial, or credit obligations does not comply with the provisions of Article 20(1)(c) of the LOPDGDD.

 

10. Language

Code owners must comply with the language requirements of the competent SA when submitting their code. For transnational codes, the code must be submitted in the language of the competent SA and also in English.

 

Duly complied with, no observations by the AEPD.

11. Checklist

The competent SA must determine whether the draft code proceeds to the next stage of full assessment in accordance with Art. 40 and 41 GDPR.

 

Despite the AEPD's involvement in improving the code, some of its substantive recommendations have not been taken up, which in itself could have determined the inadmissibility of this code of conduct.

 

Lessons learned from the AEPD's unfavourable report

From the assessments made by the AEPD throughout its report, several clues and lessons can be drawn that may be of support for future proposals for codes of conduct in Spain. Moreover, from a practical point of view, they can help out to know what position the Spanish SA is adopting in these cases.

Some of them were already included in the Guidelines and have been taken up by the AEPD to make clear their importance in the process of approving a code of conduct. Some others have been noted in the previous table, when summarising the admissibility requirements set forth by these Guidelines and the AEPD's observations. Nevertheless, the AEPD stresses some important considerations of a general nature:

  • Given the importance acquired by codes of conduct as a consequence of the introduction of the accountability principle, particular care should be taken with regard to the content of the code, which should provide 'real added value'.
  • Codes of conduct should avoid reproducing the content of the articles of the GDPR, if this is not necessary for their proper understanding, and only include its reference. In any case, a distinction should be made between the obligations imposed by personal data protection regulations and those contained in the code of conduct.
  • The request for approval of a code of conduct should not imply the opening of a procedure of revision and improvement of the text through the intervention of the SA. In this regard, the phase of providing clarifications and assistance, which is used by the SA to carry out the evaluation of the code, should not be misunderstood. In any case, it is the promoter of the code who must ensure that the necessary requirements for its approval are adequately met, and not the SA.
  • Related to the previous point, code promoters should be available to respond to questions that need to be clarified with regard to their draft code and be able to do so within a reasonable period of time. It is important that code promoters are prepared and organised to respond to queries raised by the SA in an efficient and competent manner. To this end, it is recommended to provide the competent SA with a single or specific contact point.

In addition, the AEPD particularly reasons that the code of conduct of the infomediary sector presented by ASEDIE cannot be a tool that generally legitimises the processing of personal data, exempting the controller from assessment, nor can it serve as a general presumption of legitimate interest without the need to carry out the corresponding assessment for the specific case.

This is the specific case of several processing operations for which the AEPD, despite having unsuccessfully expressed its doubts with an attitude of cooperation, concludes that they do not correctly comply with the provisions of the applicable regulations for the reasons described below:

 

Processing derived from the maintenance of credit information systems with data relating to the fulfilment of monetary, financial, or credit obligations (positive solvency files)

 

Processing of information on financial solvency with data obtained from public sources or which the data subject has manifestly made public

 

  • The regulation of negative solvency files through Article 20 of the LOPDGDD, with a presumption of prevalence of legitimate interest introduced by the Spanish legislator, is different from that of positive solvency files.

 

  • In this sense, as the Spanish legislator has not regulated positive files as a case of public interest, nor has it established a presumption of prevalence of legitimate interest, the applicable legal basis for processing personal data must be consent.

 

  • For the AEPD, the legitimate interest of the data controller or of third parties cannot be considered to prevail over the interests, rights, and freedoms of data subjects, in order to legitimise the processing of personal data by the controllers of credit information systems with data relating to the fulfilment of monetary, financial, or credit obligations.

 

 

 

 

 

 

  • The legitimate interest of the data controller does not prevail by the mere fact that the data appear in public sources or that they have been manifestly made public by the data subject.

 

  • The AEPD considers that the necessary compatibility does not exist to justify the further processing of such personal data for the purposes of the assessment of financial solvency.

 

  • There is a lack of identification of the data that may be subject to processing.

 

  • In any event, compliance with the purpose limitation principle set out in Article 5 GDPR must be borne in mind.

 

  • The use of published personal data would only be legitimate for purposes other than those for which they were originally published, based on the data subject's consent, or provided for by EU or Member State regulation.

 

With this report, the AEPD is not discouraging the adoption of codes of conduct because of its rigorous and thorough analysis, but rather it values the usefulness of a voluntary accountability tool, as demonstrated by its collaborative attitude throughout the process.

However, in order to give this tool the value it deserves in its entirety, code owners should realise that accountability in the code's adoption process implies a positive effort to facilitate compliance with the applicable data protection regulations.

To this end, the AEPD's observations and the available SA recommendations are key and should be carefully observed. In addition, the help of privacy professionals who properly assess the data processing involved will be essential to succeed with the adoption of future codes of conduct.

Roger Vilanova Jou Lawyer [email protected] Crowe Legal y Tributario, S.L.P., Barcelona

 


 

1. Article 27 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Link: https://eur-lex.europa.eu/legal-content/ES/TXT/HTML/?uri=CELEX:31995L0046) and Article 32 of the former Spanish Data Protection Act 15/1999, of December 23 (Link: https://www.boe.es/buscar/act.php?id=BOE-A-1999-23750) 2. Primarily regulated in Articles 40 and 41 of the GDPR and Article 38 of Spanish Data Protection Act 3/2018, of 5 December ('LOPDGDD'). 3. Bodies under Regulation 2016/679 (Link: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf) 4. The recognition of codes of conduct as an instrument to demonstrate compliance with the obligations of controllers and processors is set out in Article 24(3) and Article 35(8) of the GDPR. 5. Article 73 of Royal Decree 1720/2007, of December 21, approving the Regulations for the Development of Organic Law 15/1999, of December 13, on the Protection of Personal Data (available at: https://www.aepd.es/es/documento/2019-0081.pdf) 6. Without prejudice to the obligation imposed by Art. 40.4 GDPR regarding effective control mechanisms. 7. Link: https://www.boe.es/buscar/act.php?id=BOE-A-2008-979 8. In its working document on the procedure for the review of Community codes of conduct, adopted on 10 September 1998 (WP13) (Link: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1998/wp13_en.pdf) or in its Opinion 02/2015 on the C-SIG Code of Conduct for Cloud Computing (WP232) (Link: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=640601)