„We completed the implementation of the GDPR a couple of years ago."
Are you sure about that?
Article 41 GDPR
Monitoring of approved codes of conduct
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with the code of conduct pursuant to Article 40 may be carried out by an entity that possesses the necessary expertise in the field covered by the code and has been accredited for that purpose by the competent supervisory authority.
2. The entity referred to in paragraph 1 may be accredited to monitor compliance with the Code of Conduct if:
(a) has demonstrated to the competent supervisory authority in a satisfactory manner its independence and expertise in the field covered by the Code;
(b) has procedures in place to enable it to assess the ability of specific administrators and processors to apply the Code, to monitor their compliance with its provisions and to periodically review its operation;
(c) have procedures and structures to deal with complaints of infringement by the controller or processor or the way in which the controller or processor implements or implements the code and to ensure transparency of those procedures and structures for data subjects and public opinion; and
(d) has demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not lead to a conflict of interest.
3.
*
The competent supervisory authority shall submit the proposed accreditation requirements for the entity referred to in paragraph 1 of this Article to the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63.4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, the entity referred to in paragraph 1 of this Article shall - subject to appropriate safeguards - take appropriate action in the event of a violation of the Code by the controller or processor, including suspending or excluding the controller or processor from applying the Code. It shall inform the competent supervisory authority of these actions and the reasons for them.
5.
**
The competent supervisory authority shall withdraw the accreditation of the entity referred to in paragraph 1 if that entity does not meet or no longer meets the accreditation requirements or if its activities are not in compliance with this Regulation.6. This article does not apply to processing carried out by public authorities and entities.
*Article 41 (3) as amended by correction of 23 May 2018 (EU Decree L, 2018, No 127, paragraph 2) which shall enter into force on 23 May 2018.
**Article 41 (5) as amended by correction of 23 May 2018 (EU Decree L, 2018, No 127, paragraph 2) which shall enter into force on 23 May 2018
