One of the mechanisms intended to contribute to the proper application of the Regulation by the different sectors and industries is the drafting of Codes of Conduct under Art. 40 GDPR by companies and other entities representing controllers or personal data processors. The Codes of Conduct take into account the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises and define the application of specific requirements and principles of the Regulation.

Law and Internet Foundation provides consulting services and assistance in drafting the Code of Conduct under Art. 40 GDPR, consistent with the activity of the consulted organisation regarding the personal data processes and the relevant national and international case law and the applicable legal framework.

As part of the drafting process of the Code of Conduct, the specific features of the organisation are reflected in the implementation of the Regulation with regard to:

  • fair and transparent data processing;
  • the legitimate interests pursued by controllers in specific contexts;
  • the collection of personal data;
  • the pseudonymisation of personal data;
  • the information provided to the public and to data subjects;
  • the exercise of the rights of data subjects;
  • the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
  • the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
  • the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
  • the transfer of personal data to third countries or international organisations; or
  • out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.