Naše pripomienky k stanovisku Výboru (EDPB) ku kódexom správania a monitorujúcim subjektom
Dňa 1. apríla 2019 sme zaslali Výboru (European Data Protection Board) nasledovné pripomienky k návrhu stanoviska Výboru 1/2019 ku kódexom správania a monitorujúcim subjektom. Tieto pripomienky boli vypracované v mene a s podporou Slovenskej bankovej asociácie. Naše pripomienky sa týkajú postupnosti krokov pri schvaľovaní kódexu správania a akreditácie monitorujúcich subjektov a interpretácií pojmu „cezhraničný kódex správania“.
Since 2017, we have actively supported a public debate in Slovakia on what should be the correct order of steps to achieve CoC approval and accreditation of monitoring body. In our opinion, the GDPR does provide an answer in the following provisions:
- Article 40 (1) of the GDPR according to which the Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR;
- Article 40 (4) of the GDPR according to which the CoC shall contain mechanisms which enable the monitoring body to carry out the mandatory monitoring; and
- Second sentence of Article 40 (5) of the GDPR according to which the supervisory authority shall provide an opinion on whether the draft code complies with the GDPR and shall approve that draft code if it finds that it provides sufficient appropriate safeguards.
It stems from the above provisions that that the CoC shall be approved by the supervisory authority provided that the CoC: (i) contains certain monitoring mechanisms not specifically defined by the GDPR; (ii) complies with other provisions of the GDPR; and (ii) provides sufficient appropriate safeguards also not specifically defined by the GDPR. Therefore, we believe it is possible to approve the CoC by the supervisory authority without monitoring body yet accredited. We believe there are several sound arguments in favour of approval of CoC being a step preceding the accreditation of the monitoring body, in particular:
a. It seems to us that a more natural order of steps – also following order of Articles 40 and 41 of the GDPR – to first have the CoC approved and then to have the accreditation granted to a monitoring body for a specific (already approved) CoC. Associated sectors naturally start the debate about contents of the CoC first and only then move to the accreditation process of a monitoring body. It is unreasonable to expect a reverse order of steps from any sector, more so if the regulators and Member States should actively encourage drawing up the codes in the first place, not postpone it.
b. The accreditation process and rigorous documentary obligations outlined by the Guidelines should be strongly linked and referred to a particular wording of the approved CoC which also stems from the Slovak Data Protection Act as per Annex No. 3 hereto. It is impossible to achieve accreditation of monitoring body for the CoC with unknown wording.
c. If the GDPR or any Member State law refers to a CoC, it is inevitable that a CoC already approved by the supervisory authority under Article 40 of the GDPR is meant here. Any other interpretation would mean that a monitoring body could monitor compliance with a draft CoC which is not yet approved and might be contrary to the GDPR.
d. Most importantly, it does not stem from the GDPR that a monitoring body must first obtain accreditation under Article 41 of the GDPR for the supervisory authority to be able to approve it.
In light of the above provisions (mainly Article 40 (5) of the GDPR) and arguments put forward above, we urge the EDPB to reconsider the paragraph 60 on page 19 of the Guidelines, according to which:
“In order for a code (national or transnational) to be approved, a monitoring body (or bodies), must be identified as part of the code and accredited by the CompSA as being capable of effectively monitoring the code.”
The above interpretation in Guidelines requires code owners to start the accreditation procedure before a consensus on CoC content / wording is reached. This requirement is contrary to several provisions under Section 87 of the Slovak Data Protection Act, translation of which we attach in Annex No. 2 hereto and currently makes the approval of CoC under Slovak law a process of several years, as we explain below.
Slovakia was one of the Member States that had the key national data protection legislation prepared and effective as of 25th May 2018. We believe it was a duty of every Member State to do so. Section 87 of the Slovak Data Protection Act deals with the monitoring body under Article 41 of the GDPR and refers on number occasions to the approved CoC impliedly or explicitly. See for example sub-paragraphs (3); (4); (6); (7) or (12) of Section 87, as highlighted in Annex No. 2 hereto.
Reading the Guidelines and Section 87 (20) of the Slovak Data Protection Act, the approval of CoC would be currently subject to:
a. the Office submitting draft accreditation criteria to the EDPB, where there is no statutory deadline for this;
b. the EDPB approving draft accreditation criteria submitted by the Office, where there is no statutory deadline for this;
c. the Office adopting a legislative decree on the accreditation criteria, where there is no statutory deadline for this;
while at the same time the basic statutory period for approval of the CoC as well as for granting accreditation under the Slovak Data Protection Act is three months (can be prolonged by the Office). Please note that these are (in Slovakia) separate administrative proceedings district from each other. As we assess the above requirements, this would push the possibility of any approval of the CoC towards 2020 and beyond.
Such requirement is not line with the obligation of the regulators and the Member States to encourage drawing up the CoC under the Article 40 (1) of the GDR and also not in line with obligation of supervisory authority to draft an opinion within a reasonable period of time unless a specific timeline is prescribed under national law.
We understand that the counter-argument to our interpretation might be that a monitoring of the CoC by a monitoring body is mandatory. However, such counter-argument could only stem from interpretation of Article 40 (4) of the GDPR, which primarily refers to the mandatory contents of the CoC being monitoring mechanisms, not to the monitoring as such – which is subject to Article 41 of the GDPR.
These monitoring mechanisms should “enable monitoring body to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it”. However, the primary role of the CoC as per recital 98 of the GDPR is to “facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises.”
This primary role of CoC can be undoubtably achieved with an approved CoC which is not yet monitored by an accredited monitoring body. Such conclusion stems from the legal certainly and highly authoritative status that the CoC approved by the supervisory authority brings and poses.
Therefore, we suggest that the prior certification of a monitoring body is removed from the Guidelines as a requirement for the approval of the CoC.
In our previous comments to EDPB’s Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), we have highlighted the need for establishing a rule on the applicable Member State law generally in line with the previous regime under the Directive 95/46/EC using the Analogy proposed therein. For ease of reference, we hereby attach our previous comments on this topic in Annex No. 3 hereto. The necessity of such test also comes to an interplay with Article 40 (7) of the GDPR which makes a distinction between purely national and “translational” CoC which “relates to processing activities in several Member States”.
This requirement can be seen as very broad, open, vague and unexplained by the GDPR. Allowing broad interpretation of such requirement would make a national CoC practically impossible, because any processing can be “related” to processing activities in several Member States, especially if controllers/processors applying the CoC are formed in group structures or use service providers located in different Member States.
The following wording in Appendix 1 of the Guidelines does not remove the possibility of such broad interpretation and therefore in our view, should be further elaborated on:
“As such, a transnational code may relate to processing activities carried out by a multiplicity of controllers or processors in several Member States without necessarily amounting to ‘cross-border processing’ as defined in Article 4(23) of the GDPR. Therefore, where a code of conduct adopted by a national association in one Member State covers processing activities by its members in several Member States, it will qualify as a transnational code. Whereas if an association with a code approved at national level is joined by an international member that conducts cross-border processing, that member could only claim the benefit of the approved code for processing activities in the Member State which approved the code.”
The above interpretation of transnational CoC in Guidelines is not clear in our view. The first sentence provides that the transnational CoC does not refer to the cross-border processing. The second sentence only repeats the wording of Article 40 (7) of the GDPR. However, the third sentence makes a reference to relationship between the cross-border processing and application of the CoC in the given Member State, i.e. territorial scope of Member State data protection law. However, the territorial scope of the Member State data protection law is itself currently unclear, as the GDPR and previous guidelines 3/2018 do not yet provide an answer on how it should be determined.
We agree with EDBP that the requirement of transnational CoC has to be put into context and relationship with the test for establishing applicable Member State law. Using the Analogy proposed in the Annex 3 hereto and our previous comments, we believe it is clear that scope of the applicable Member State law similarly as the scope of the GDPR is not determined on the basis of where the processing takes place.
Therefore, we suggest that the transnational CoC under Article 40 (7) of the GDPR should be interpreted as CoC that is intended to be applied together or in conjunction with several applicable Member State laws, i.e. at least two different Member State laws. In contrast, limiting the territorial scope of the CoC only to the particular Member State law – irrespective of where the processing takes place – would mean a reference to national CoC. Our interpretation proposal seems to be in line with paragraph 24 of the Guidelines which we fully agree with:
The draft code must specify whether it is a national or transnational code and provide details in relation to territorial scope, identifying all relevant jurisdictions to which it intends to apply.”
Although the Article 40 (7) of the GDPR and the above suggestion only increases the necessity to draw up a test for establishing applicable Member State data protection law, this is however not the subject-matter of these Guidelines, but of guidelines 3/2018.
In addition, we do not understand the flow chart in Appendix 4 of the Guidelines because the Guidelines do to explain such flow chart and do not make a single reference to such Appendix / flow chart. Contents of the flow chart seem to go beyond or contrary to what stems explicitly from the GDPR. Therefore, we suggest the Appendix 4 should be removed or explained solely for the purpose of transnational CoC (due to the reference to EDPB and “Concerned SAs”).