Article 41

Monitoring of approved codes of conduct

1. Without prejudice to the tasks and powers of the Commissioner under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the Commissioner.

2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

  • (a) demonstrated its independence and expertise in relation to the subject -matter of the code to the satisfaction of the Commissioner ;
  • (b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
  • (c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
  • (d) demonstrated to the satisfaction of the Commissioner that its tasks and duties do not result in a conflict of interests.

3. [THIS ARTICLE IS INTENTIONALLY LEFT BLANK IN THE UK GDPR]

4. Without prejudice to the tasks and powers of the Commissioner and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the Commissioner of such actions and the reasons for taking them.

5. The Commissioner shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.

6. This Article shall not apply to processing carried out by public authorities and bodies.

Important note about UK GDPR recitals

Recitals to the GDPR are saved into UK domestic law and apply to the interpretation of the UK GDPR. However, they have not been amended upon saving. This may mean that some recitals are no longer relevant if the corresponding provisions have not been retained in UK domestic law. (Tell me more.)

Previous Article
Article 40
Next Article
Article 42
Menu