Code of Conduct for commissioned processing
The GDPR changed the legal framework for codes of conduct and standardised them across Europe. Codes of conduct that specify data protection-compliant processing within the meaning of the GDPR require ap-proval by the competent supervisory authority. Supervisory bodies for codes of conduct are accredited by the competent supervisory authority.
The Association for the Promotion of Rules of Conduct (VfV), an association founded by the GDD and BvD associations to develop, amend or extend rules of conduct in accordance with Art. 40 GDPR, has developed a rule of conduct for processors (‘Trusted Data Processor’) in accordance with Art. 40 GDPR on the basis of the preliminary work carried out by GDD and BvD. The code of conduct focuses on the necessary management process-es for processors who offer their services in Germany for the German market. Specific experiences of controllers and their processors have been incorporated into its creation. The member companies of the GDD and BvD are the primary addressees of the code of conduct, but the code of conduct will also be open to non-members.
The background to the development of the code of conduct is, on the one hand, the continuing questions about the respective obligations and their operational implementation in the context of order processing due to the lack of specific legal requirements. In terms of content, the code of conduct therefore specifies the interaction between the client and the processor, re-gardless of their sector. This concerns, among other things, the design of control rights, the change of subcontractors and the processor's own control.
On the other hand, there is a lack of sufficient reference points for identifying a data protection-compliant processor from the perspective of a controller. Processors are confronted with a large number of clients who wish to exercise their legally granted control rights. The code of conduct reconciles these different interests by having a supervisory body verify compliance with standardised and transparent requirements. Controllers can incorporate this monitoring into their control concepts.
The State Commissioner for Data Protection and Free-dom of Information in Baden-Württemberg approved the national code of conduct ‘Trusted Data Processor’ in November 2022. As part of this process, Datenschutz Zertifizierungsgesellschaft mbH (DSZ) was also accredited as a supervisory body.
Further information
Further information on the code of conduct and the requirements for processors pursuant to Art. 28 GDPR can be found on the DSZ website.
