Guidelines 04/2021 on Codes of Conduct as tools for Transfers Adopted on 22 February 2022

The European Data Protection Board

In Article 46 of the GDPR, controllers and processors must put in place effective assurances for transfers of personal data to third countries or international organizations. This is what the GDPR says. As a result, Article 46 of the GDPR expands the types of protections that organizations can use for transfers to third countries. Codes of conduct, for example, are one of them (articles 40-3 and 46-2-e). Article 40-3 says that, once approved by the qualified supervisory authority and given general validity in the Union by the Commission, a code of conduct can be used by controllers and processors not subject to the GDPR in third countries to protect their data when they send it to third countries. According to Article 40-3 of the Data Protection Code, these data controllers and processors must make legally-binding vows?to protect people's privacy and rights. These assurances must be made through contracts or other legally-binding instruments like agreements. The guidelines say what should be included in these vows.

It should also be acknowledged that controllers and processors who are subject to the GDPR can use a code for transfers that a data importer in a foreign nation has agreed to. This means that controllers and processors who are subject to the GDPR can use this code to meet their obligations when they send data to third countries in compliance with the GDPR without having to follow the code independently.

For the purpose of Article 46, a code of conduct for transfers should cover the important principles, rights, and responsibilities that controllers and processors have under the GDPR, as well as the guarantees that are unique to transfers (such as with respect to the issue of onward transfers, conflict of laws in the third country). In light of Article 46 of the GDPR and the CJEU?Schrems II ruling, the regulations can provide check-list of the aspects that should be covered by a code of conduct for transfers. They also take into account the Schrems II ruling.

Article 40-2 of the GDPR says that a code of conduct can be written only for the aim of defining how the GDPR will be applied. It can also be written as a code that is meant to be used for transfers in line with Article 40-3. To use the code for transfers, it may need to be changed to cover all of the above-mentioned things. This is because the original scope and content of the code may need to be changed in order for it to cover all of these things.

These standards, which go along with EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, explain who each person is and how they work together to set a code that can be used as a tool for transfers. They also show how the adoption process works with flow diagrams.