Dutch Data Protection Authority approves Code of Conduct for Data Processors in the ICT Sector
On August 27, 2020 the Dutch Data Protection Authority (Dutch DPA) announced that it approved the first ‘code of conduct’ in the Netherlands, the Data Pro Code. The Data Pro Code was drafted by NL Digital, the Dutch industry association for organizations in the ICT sector in the Netherlands.
What is a ‘Code of Conduct’?
Under the EU General Data Protection Regulation (GDPR), organizations must implement ‘appropriate measures’ on an organizational, technical, and legal level and be able to demonstrate their compliance with the GDPR. In order to help companies from particular sectors with this obligation, GDPR allows associations and other bodies representing categories of controllers or processors to prepare codes of conduct that specify what data controllers and processors need to do in order to be GDPR compliant.
By means of best practice, such codes of conduct clarify the obligations of controllers and processors, thereby taking into account the risk likely to result from the processing for the rights and freedoms of natural persons. Once drafted, the codes must be approved by the relevant national data protection authority.
Why apply ‘Codes of Conduct’?
Companies that apply codes of conduct may thereby ensure that they conform with the GDPR effectively. In addition, the adherence to codes of conduct means that the company follows GDPR requirements in a manner that is considered as good practice within the sector.
What does the Data Pro Code entail?
The Data Pro Code focuses on the ICT sector in the Netherlands and provides further explanation of data processors’ obligations under the GDPR. In particular, the code offers the relevant Dutch processors practical information about open standards from the GDPR.
An important element is compliance with GDPR information obligations which require a data processor to inform its customer (the data controller) about its security measures. Such information must be provided in a way which allows the customer to assess whether the measures are sufficient, given the intended use of the service or product by the customer.
Data processors which apply the Data Pro Code may comply with this obligation by completing a Data Pro Statement which is then made part of the data processing agreement between the processor and the customer. The data processor thereby informs its customer (i) how it has implemented the GDPR’s security measures, (ii) what certification it holds and (iii) how it is processing the customer’s data (incl. duration, possible ways of deletion and retention period).
Supervision of the Data Pro Code
Compliance with the Data Pro Code is supervised by an independent body, the Data Pro Supervisor. A data processor who wishes to apply the Data Pro Code must accept an independent assessment of its activities. In addition, the processor can be certified as an adherer to the Data Pro Code and be included in a Data Pro Code Register, which is managed by the Data Pro Supervisor. This enables potential customers to view the code membership and ensures that the processor’s compliance with the GDPR is monitored by the Data Pro Supervisor. This monitoring, in turn provides assurance that the code of conduct can be trusted.
Currently, the criteria that the Data Pro Supervisor must meet are submitted to the European Data Protection Board for advice. The Dutch DPA expects a definite answer within the course of this year.