Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.

Most frequent problems when approving codes of conduct: remarks of the supervisory authority in Poland


published on 25 November 2021 | reading time approx. 4 minutes

In the publication of 27/10/2021 the President of the Personal Data Protection Office (PDPO) has highlighted a number of problems which arise most frequently in connection with working on draft codes of conduct aimed at clarifying the application of the GDPR in specific industries.

Mistakes repeated by owners of the codes of conduct may prolong the approval procedure, work on the draft code may be suspended or even abandoned altogether.

Therefore, the President of the PDPO pointed out the following mistakes repeated by code owners:

I. No clear and concise explanatory statement

One of the most common mistakes identified by the supervisory authority at the first stage of reviewing codes of conduct is lack of clear and concise explanatory statement, which should provide details as to the purpose of the code, the scope of the code and how it will facilitate the effective application of the GDPR in a given industry. The supervisory authority recommends that the explanatory statement be provided as an introduction or as a separate chapter of the code.

II. The applying entity is not the majority of businesses in the sector 

The applicant should prove that it really represents the industry on behalf of which it has filed the application. A code must be submitted by an association/consortium of associations or other bodies representing categories of controllers or processors in accordance with Article 40(2).

According to the Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/67 issued by the European Data Protection Board (EDPB) (the Guidelines), the code owners must demonstrate that they are an effective representative body and that they are capable of understanding the needs of their members and clearly defining the processing activity or sector to which the code is intended to apply (paragraph 22 of the Guidelines). 

III. No indication of the applicant

It is often the case that none of the authorised entities wants to be the applicant in the code approval procedure.

IV. Too narrow scope of consultation

The supervisory authority pointed out that mandatory consultation often does not include data subjects, among others, users or clients or organisations acting on their behalf. 

The draft code must include information on the scope of consultation. Recital 99 of the GDPR indicates when drafting a code (or amending/extending) a consultation should take place with the relevant stakeholders including data subjects, where feasible (paragraph 28 of the Guidelines). 

V. Too detailed report on the consultation

The President of the PDPO expects a synthetic report on the consultation including its key issues. The role of the President of the PDPO is not to review extensive documentation reflecting in detail the course of the consultation – it is only to assess whether the scope of the consultation was appropriate and whether any provisions of the draft code have been amended as a result of the consultation, and if so, which ones.

Public consultation is helpful in finding out whether the content of the draft code is clear, in line with Article 12 GDPR. Apart from data controllers and processors, this document is also often addressed, in the first place, to data subjects, including consumers, patients, service recipients, employees, whose data are to be processed, and thus the provisions of the code should be clear and understandable to them.

VI. Too comprehensive approach to data processing 

Code of conduct should resolve the key problems of the sector. Too comprehensive approach to data processing makes it impossible to approve the code as there are many contentious issues that are difficult to resolve in a single document. 

The code should above all regulate the issues related to the specific nature of the sector which it concerns. If the code deals with too many issues, it may lead to attempts to regulate issues in it which go far beyond the industry for which the code is drafted. 

VII. Re-stating the GDPR and national laws

A code should not just re-state the GDPR. Instead, it should aim to codify how the GDPR shall apply in a specific, practical and precise manner. The agreed standards and rules will need to be unambiguous, concrete, attainable and enforceable (testable). Setting out distinct rules in the particular field is an acceptable method by which a code can add value. Using terminology that is unique and relevant to the industry and providing concrete case scenarios or specific examples of ‘best practice’ may help to meet this requirement (paragraph 37 of the Guidelines).

VIII. No reference to sector-specific regulations, guidelines, opinions and decisions of the EDPB and the case law

Failure to quote specific sector regulations and guidelines, opinions and decisions of the EDPB in the code in reference to a specific sector or a specific processing activity, or making just a general reference to specific regulations regarding the processing of personal data in the sector is another most frequent problem observed by the President of the PDPO. The same is true for the applicants' failure to cite case law deciding the issues governed by the code.

The duration of the code approval procedure is also significantly affected by the fact that the stakeholders wait for the sector-specific regulations to change when they are drafted by the government or when the implementation of EU regulations is expected. If the regulated processing activities may change after legal amendments, the supervisory authority finds it reasonable in such a case to wait with consultation or filing a code approval application. Some doubts and demands may also be signalled by the stakeholders in the legislative process.

Another problem is that issues concerning the monitoring bodies are not regulated and no effective monitoring mechanisms have been developed.

Codes represent an opportunity to establish a set of rules which contribute to the proper application of the GDPR in a practical, transparent and potentially cost effective manner that takes on board the nuances for a particular sector and/or its processing activities. The initiative of the President of the PDPO is aimed at preventing other entities applying for the approval of the code in the future from making the mistakes described above.

The checklist to be followed before submitting the draft code, developed by the EDPB and made Appendix 3 to the Guidelines, may also be helpful to code owners.


Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, 
with a special focus on the GDPR. 


Contact Person Picture

Aneta Siwek

Attorney at Law

+48 32 721 23 94

Invia richiesta


​Discover more about our offices in Poland. Read more »
Deutschland Weltweit Search Menu