The principle of accountability under the GDPR requires that organisations put in place appropriate technical and organisational measures not only to ensure that the processing is compliant, but also to be able to demonstrate this. This translates in practice into documenting data protection practices and choices.
Compliance tools such as codes of conduct, certification mechanisms, and binding corporate rules - as well as appointing a data protection officer - help companies in their compliance efforts and foster individuals’ trust that their personal data is handled responsibly. The EDPB supports the development and implementation of effective compliance tools through its consistency opinions.
Adherence to an approved code of conduct helps organisations to put in place a structured approach to their GDPR compliance efforts. These codes, prepared by business associations, of conduct operationalise GDPR obligations. The codes are approved by data protection authorities and, when relating to processing activities in several Member States, they are subject to opinions of the EDPB. In certain cases, codes of conduct can also provide appropriate safeguards within the framework of transfers to third countries or international organisations. A list of approved codes of conduct is available here.
Certification is a voluntary tool that helps organisations ensure and demonstrate compliance with the GDPR. Certification mechanisms and data protection seals and marks are operated by accredited bodies. The EDPB issues opinions on certification mechanisms and accreditation criteria to ensure consistency. When certification criteria are approved by an opinion of the EDPB, this may result in a European Data Protection Seal. In certain cases, certification can also provide appropriate safeguards for transfers to third countries. A register of certification mechanisms, seals and marks is available here.
In addition, the register of approved Binding Corporate Rules is available here.