Codes of Conduct: The Key to GDPR Compliance for SMEs

Codes of Conduct: The Key to GDPR Compliance for SMEs

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

After years of anticipation, the EU General Data Protection Regulation (GDPR) entered into force and took effect on May 25, 2018, bringing about several changes to Europe’s current data protection regime.

Among others, these changes include: (a) New obligations for data processors and controllers  (such as Data Impact Assessments, Data Protection Officers, Data Breach Reporting, and so on); (b) enhanced rights for data subjects; (c) new accountability requirements (including keeping track of all data collection, storage, transfer, deletion, and other forms of data processing); (d) significant fines for noncompliance (up to 4% of annual worldwide turnover or EUR 20 million, whichever is higher); and (e) wider territorial scope (extending it outside the EU).

Although the GDPR was adopted almost two years ago, it only recently sneaked onto the agendas of Bulgarian businesses – and it has created mass hysteria. Indeed, the Regulation’s provisions would not seem so remarkable had the provisions of the repealed Directive 95/46/EC and the Personal Data Protection Act been effectively applied in Bulgaria in the past.

Nevertheless, the GDPR is here and Bulgarian businesses must cope with its challenges. The biggest challenge is for micro-enterprises, small and medium-sized enterprises, and those with limited financial resources. They should bring their activities in line with the Regulation, and the question which inevitably arises is how to do so as effectively as possible. The answer to this question lies precisely in the GDPR and the option of drafting and adhering to Codes of Conduct.

What are Codes of Conduct?

Codes of Conduct are drawn up by associations and other bodies representing categories of controllers or processors to facilitate the effective implementation of the GDPR, considering specific features of the various processing sectors and the specific needs of micro, small, and medium-sized enterprises (recruitment agencies, accounting enterprises, hospitals, etc.). The Codes of Conduct may set out the terms which must be applied by the controllers and personal data processors with respect to bona fide and transparent processing, the legitimate interests of controllers in specific aspects, the collection and pseudonymization, the exercise of the data subjects’ rights, data breach notifications, the transfer of personal data to third countries or international organizations, and so on.

How Could a Code of Conduct Help?

Codes of Conduct are approved by the competent regulatory authority – the Bulgarian Personal Data Protection Commission – which is a sufficient guarantee that the terms set out therein meet the numerous requirements of the GDPR.

By taking advantage of this option, companies from specific sectors can unite their efforts and avoid struggling alone to bring their internal policies for personal data processing in line with the Regulation.

Further, adherence to an approved Code of Conduct may also be used as proof of compliance with several obligations for both controllers and processors. A practical example is the obligation of a controller to only use personal data processors which provide sufficient guarantees for the application of appropriate technical and organizational measures to safeguard personal data. Making such an assessment for each of the processors engaged by a controller would significantly impede the process of selecting the right contractor. If, however, a processor adheres to an approved Code of Conduct, this can be used as evidence for providing sufficient guarantees. Thus, on the one hand, such a processor is more attractive to the controllers, and on the other hand, a controller who selects this processor can be more confident that he or she has made the right choice and complied with the obligation under the GDPR. In other words, “hit two rabbits with one shot.”

In addition, the adherence to an approved Code of Conduct is one of the mitigating factors considered for by the Commission for Personal Data Protection when imposing and determining sanctions – which, as indicated earlier, are quite substantial. It is important to emphasize that formal adherence to Codes of Conduct is not sufficient to avoid a sanction. The terms set in a Code of Conduct should be implemented effectively and applied in practice.

The advantages of Codes of Conduct are significant, and the controllers, the personal data processors, and their associations and partnerships should benefit from them.  

By Stefana Tsekova, Partner, Schoenherr    

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.