Greetings from Brussels!
Interesting development in the Netherlands during the last week. The Dutch data protection authority announced its approval of the "Data Pro Code," a code of conduct drafted by the industry trade association NLdigital, formerly known as Netherland ICT. Incidentally, this is the first industry code of conduct approved by the Dutch regulator under the GDPR. Complying with the code will help members with their GDPR obligations. The association has 600 organizational members across the ICT sectors, of which 75% are SMEs, sitting on an enormous trove of client personal and sensitive data.
The code is more than two years in the making, with a first draft drawn up back in May 2017. Provisional approval was awarded in August 2019 by the Dutch DPA, following which interested parties were able to submit their views. Those opinions were subsequently incorporated into the final decision by the regulatory authority. NLdigital Managing Director Lotte De Bruijn remarked that over the past two years there has been intensive cooperation with the Dutch DPA to get the code over the line. The approach was to deliver a robust code so that it could be formally approved. Adding that as the first Dutch industry association to have a code of conduct approved, there was much refinement throughout the approval process.
In a statement, Monique Verdier, vice president of the Dutch DPA, said that many people are impacted by entrusting their personal data to organizations through the consumption of services and products via the digital sector. Ultimately, that means a lot of people will eventually benefit from this code.
The code includes, among other things, a series of practical GDPR compliance tools, such as the “Data Pro Statement” that companies may use to inform potential customers of the data protection safeguards in place. For context, the Data Pro Code is an elaboration of the obligations for data processors based on Article 28 of the GDPR and applies to processing operations in the Netherlands where the Dutch DPA has competency. It is geared primarily toward the small- and medium-sized ICT service providers acting as data processors that can obtain certification through adherence to the code with the endorsement and stamp of the Dutch DPA, a powerful statement. Since the introduction of the certification scheme back in May 2019, dozens of companies have been certified.
An important step that remains is the appointment of an independent supervisory body by the association. The Data Pro Code Supervisor will be responsible for ongoing monitoring of compliance with the code and assessing whether affiliated parties are eligible to apply. They will also handle complaints and investigate violations of the code. The Dutch DPA must also accredit the supervisory body through its own assessment. As is the case for other EU privacy regulators, the Dutch DPA must draw up accreditation criteria for this supervisory function and submit them to the EDPB for approval. This has been done, and an answer is expected before the end of the year.
I spoke with IAPP County Leader for the Netherlands Jeroen Terstegge to get his initial take, and he said this will be welcomed by the SME sector, which will now have access to a standard set of “approved” clauses for their data protection (processing) agreements. In theory, it should make life easier to contract with smaller processor entities. However, he said there might be a reluctance on behalf of some of the larger data controllers to sign agreements under the processor terms bound by the code, particularly controllers that have invested in their own established compliance programs and processor agreements. We will see how the code plays out.
My understanding is that there are several industry codes of conduct sitting with the Dutch DPA. To be clear, conduct mechanisms are certainly not new to the industry. That said, it seems clear there is considerable work to be done for those codes to be revised, updated and approved (by the regulator) under the GDPR before they can be effectively implemented.