The guidelines relate to codes of conduct, accreditation, and certification.

Background: Earlier in June, the European Data Protection Board (EDPB), created as part of the framework set by the GDPR, held its eleventh plenary session. It adopted the following documents.

Guidelines on Codes of Conduct: These provide practical guidance to apply Articles 40 and 41 of the GDPR. The guidelines intend to help clarify the procedures and the rules involved in the submission, approval and publication of codes of conduct at both the national and the European level.

Annex to the Guidelines on Accreditation: The EDPB adopted a final version of the annex to the Guidelines on Accreditation. This helps to implement the provisions of Article 43 of the GDPR to establish a consistent and harmonised baseline for the accreditation of certification bodies that issue certification in accordance with the GDPR. The annex provides guidance on the additional requirements for the accreditation of certification bodies to be established by the supervisory authorities.

Annex to the Guidelines on Certification: The EDPB adopted a final version of annex 2 to the Guidelines on Certification. Some aspects were added to certain sections, for example, whether the criteria address the obligation of the controller/processor to appoint a DPO and the obligation to keep records of the processing activities. The primary aim of these guidelines is to identify overarching criteria relevant to certification mechanisms issued in accordance with art. 42 and art. 43 of the GDPR. The annex identifies topics that data protection authorities and the EDPB will consider to approve a certification mechanism.