Chapter 4 · Controller and Processor

Article 41Monitoring of approved codes of conduct

All 99 Articles Chapter 4: Controller and Processor

An accredited body with the right expertise monitors compliance with an approved code of conduct, and can act against members that breach it.

Official text & source

Article 41 of the General Data Protection Regulation (Regulation (EU) 2016/679). Read the full, authoritative text on EUR-Lex.

Official text on EUR-Lex

Official text

Verbatim text of Article 41 of the General Data Protection Regulation — Regulation (EU) 2016/679.

Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58 , the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

The competent supervisory authority shall submit the draft requirements for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63 .

1 Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII , a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. 2 It shall inform the competent supervisory authority of such actions and the reasons for taking them.

The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

This Article shall not apply to processing carried out by public authorities and bodies.

GDPR

Table of contents

Report error

Logo

We are a consulting company specialised in the fields of data protection, IT security and IT forensics. CTA

Learn more

Follow us:

XING |

LinkedIn

Rate us:

Please wait...

Source: Regulation (EU) 2016/679 (OJ L 119, 4.5.2016, p. 1). Official text reproduced from EUR-Lex — © European Union. Only European Union legislation published in the Official Journal is deemed authentic.

Related articles

Learn the context

These summaries are a plain-English orientation only and are not a substitute for the official text of the Regulation or for legal advice.

Need to apply Article 41?

Our data-protection lawyers turn the text into a plan.

Talk to a lawyer