Monitoring body for codes of conduct
Datenschutz Zertifizierungsgesellschaft mbH (DSZ) is a company founded in 2013 by the associations GDD and BvD, which acts as a monitoring body for codes of con-duct in accordance with Art. 40 GDPR. The DSZ not only monitors subscribing entities for compliance with the code of conduct, but also participates in the develop-ment of such rules. Codes of conduct serve to specify data protection-compliant processing within the mean-ing of the GDPR and require approval by the competent supervisory authority. Monitoring bodies for a code of conduct are accredited by the competent supervisory authority.
The DSZ is currently accredited as a monitoring body for the “Trusted Data Processor” by the State Commission-er for Data Protection and Freedom of Information in Baden-Württemberg as a monitoring body in accord-ance with Art. 41 GDPR. The code of conduct focuses on the necessary management processes for processors who offer their services in Germany and for the German market. Specific experiences of controllers and their processors have been incorporated into its creation.
The background to the development of the code of con-duct is, on the one hand, the continuing questions about the respective obligations and their operational implementation in the context of order processing due to the lack of specific legal requirements. In terms of content, the code of conduct therefore specifies, on the one hand, the interaction between the client and the processor, regardless of their sector. This concerns, among other things, the design of control rights, the change of subcontractors, and the processor's own con-trol.
On the other hand, there is a lack of sufficient reference points for identifying a data protection-compliant pro-cessor from the perspective of a controller. Processors are confronted with a large number of controllers who wish to exercise their statutory control rights. The code of conduct reconciles these different interests by having a supervisory body verify compliance with standardized and transparent requirements. Controllers can incorpo-rate this monitoring into their control concepts.
Interested for further information?
You can find more information on the “Trusted Data Processor” code of conduct for processors at verhaltensregel.eu.
Code of Conduct “Trusted Data Processor”
The associations “Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) e.V.” (Professional Asso-ciation of Data Protection Officers in Germany) and “Gesellschaft für Datenschutz und Datensicherheit (GDD) e.V.” (“Association for Data Protection and Data Security”) have developed the code of conduct “Trusted Data Processor” specifically for commissioned processing. The code of conduct specifies the interaction between the client and the processor, regardless of their sector, and facilitates the selection of a processor that complies with data protection regulations. The code of conduct confirms the implementation of the requirements of Art. 28 GDPR for processors and applies in addition to existing certificates such as ISO 270001.