Article 40 GDPR
Codes of conduct

1. Member States, supervisory authorities, the European Data Protection Board and the Commission encourage the drafting of codes of conduct to help apply this regulation properly - taking into account the specificities of the various processing sectors and the special needs of micro, small and medium-sized enterprises.

2. Associations and other entities representing certain categories of controllers or processors may develop or amend codes of conduct or expand their scope to clarify the application of this Regulation, among other things:

(a) reliable and transparent processing;

(b) legitimate interests pursued by administrators in specific contexts;

(c) the collection of personal data;

(d) pseudonymisation of personal data;

(e) informing the public and data subjects;

(f) the exercise by data subjects of their rights;

(g) the information and protection of children and how to obtain the consent of the person exercising parental authority or custody of the child;

(h) the measures and procedures referred to in Articles 24 and 25, and the measures ensuring the security of processing referred to in Article 32;

(i) reporting personal data breaches to the supervisory authority and reporting such breaches to data subjects;

(j) the transfer of personal data to third countries or international organisations; or

(k) out-of-court procedures and other dispute resolution mechanisms for resolving disputes between controllers and data subjects regarding processing, without prejudice to the rights of data subjects under Articles 77 and 79.

3. In addition to controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and generally applicable in accordance with paragraph 9 of this Article may also be adhered to by controllers or processors who, pursuant to Article 3, are not subject to this Regulation, in order to ensure appropriate safeguards in the context of transfers of personal data to third countries or international organizations under the conditions set out in Article 46(2)(e). Such controllers or processors shall enter into a binding and enforceable commitment—by contract or through other legally binding instruments—to apply those appropriate safeguards, including with regard to the rights of data subjects.

4. The code of conduct referred to in paragraph 2 of this article shall provide for mechanisms enabling the entity referred to in Article 41(1) to carry out mandatory monitoring of compliance with the provisions of the code by controllers or processors who have undertaken to apply it, without prejudice to the tasks and powers of the supervisory authorities competent under Article 55 or 56.

5. Associations and other entities referred to in paragraph 2 of this Article that wish to develop a code of conduct or to amend or extend the scope of an existing code shall submit a draft of the code, amendment, or extension to the supervisory authority competent under Article 55. The supervisory authority shall issue an opinion on the compliance of the draft code, amendment, or extension with this Regulation and shall approve such draft code, amendment, or extension if it considers that they provide appropriate safeguards.

6. If a draft code, amendment or extension is approved in accordance with paragraph 5, the supervisory authority shall register and publish the code, unless it applies to processing activities carried out in several Member States.

7. Where a draft code of conduct concerns processing activities carried out in several Member States, the supervisory authority competent pursuant to Article 55 shall, prior to approving the draft code, amendment, or extension, submit it, in accordance with the procedure referred to in Article 63, to the European Data Protection Board, which shall issue an opinion on the compliance of the draft code, amendment, or extension with this Regulation or, in the situation referred to in paragraph 3 of this Article, an opinion on whether they provide appropriate safeguards.

8. If the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or in the situation referred to in paragraph 3 provide adequate safeguards, the European Data Protection Board shall submit this opinion to the Commission.

9. The Commission may, by means of implementing acts, determine that an approved code of conduct, amendment, or extension submitted to it pursuant to paragraph 8 of this Article is generally applicable within the Union. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

10. The Commission shall ensure adequate dissemination of the approved codes, the universal applicability of which it has determined in accordance with paragraph 9.

11. The European Data Protection Board compiles all approved sub-codes, amendments and extensions into a registry and makes them available to the public through appropriate means.