Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.

Guidelines 04/2021 on Codes of Conduct as tools for transfers

​published on 23 March 2022 | reading time approx. 5 minutes

On 22 February 2022, the European Data Protection Board adopted version 2.0 of its Guidelines 04/2021 on Codes of Conduct as tools for transfers.

The need to adopt an harmonized European framework on codes of conduct as tools for transfers comes from their increasing relevance as means to demonstrate the accountability and as an appropriate safeguard for transfers of personal data.

The GDPR provides that “any transfers of personal data to third countries or international organisations shall take place only if the conditions laid down in this Regulation under articles 44 and follows of the GDPR are complied with by the controller and processor”. In the absence of an adequacy decision, a controller or a processor may transfer personal data to a third country or an international organisation only if there are appropriate safeguards.

Under article 46, paragraph 2, of GDPR, among the appropriate safeguards which do not require any specific authorisation from a supervisory authority there is also according to letter e) “an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights”.

In fact under article 40, paragraph 3, of GDPR a “code of conduct approved and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations”. 

To this aim, such controllers/processors shall make binding and enforceable commitments, i.e. using a contract or other legally binding instruments, wherewith there are able to demonstrate the binding and enforceable nature in accordance with EU and to be binding and enforceable by data subjects as third-party beneficiaries.

These guidelines complement the EDPB Guidelines 1/2019 on “codes of Conduct and Monitoring Bodies under Regulation 2016/679” and provide practical guidance on the content of such codes of conduct, their adoption process with flow charts and the actors involved.

The actors involved for the setting up of a code of conduct to be used as a tool of transfers and their role are as follows:
  • A Code Owner;
  • A Monitoring Body;
  • Supervisory Authority (“SA”);
  • EDPB;
  • European Commission.

The code owner is the entity, a group of companies, association/federation representing categories of controllers/processors involved in the same sector or other body that will prepare a code of conduct or amend an approved “GDPR code” for using it as a tool for transfers and submit it to the competent SA for approval.

Under article 41 of GDPR, code member identifies a monitoring body as part of a code. The role of a monitoring body is to monitor the compliance of a third country code member with the rules set out in the code. It could be located inside or also outside of the EEA with an establishment in the EEA. 
A monitoring body in the EEA may subcontract its activities to an external entity outside the EEA, acting on its behalf at certain conditions (i.e. such entity maintains the same competence and expertise required as well as by the accreditation requirements, and that the EEA monitoring body is able to ensure effective control).

However, recourse to subcontracting does not result in the delegation of responsibilities. The monitoring body provides a clause in the contract with the purpose of binding the subcontractors to the confidentiality of data.

Furthermore, the role of the competent SA will be to approve the draft code of conduct or amendments to it for using it as a tool for transfers and to accredit the monitoring body identified as part of the code of conduct.

Then, the EDPB will be asked to provide an opinion on the draft decision of a SA aiming to approve a code of conduct intended for transfers or amendment to a code of conduct for using it also as a tool for transfers. Finally, the Commission may decide by adopting an implementing act that a code intended for transfers and approved by a SA has general validity within the Union and may be relied upon for framing transfers.

In term of content, as mean of appropriate safeguards under article 46 of GDPR, the elements need to be addressed are: 1) essential principles, rights and obligations arising under the GDPR for controllers/processors and 2) specific guarantees of transfers (i.e. the issue of onward transfers, conflict of laws in the third country).

The contract or other instrument should address:
  • The right for data subjects whose data are transferred under the code of conduct;
  • The jurisdiction clause wherewith data subjects shall have the possibility in case of violation of rules to bring a claim, by invoking their third-party beneficiary right, including for compensation;
  • The right for the exporter to enforce against the code member acting as importer the rules under the code as a third-party beneficiary;
  • The obligation of the importer to notify the exporter and the SA of the data exporter of any detected violation by the same code member outside the EEA and of any corrective measures taken by the monitoring body; 

The EDPB provides a chek-list of elements to be included in a code of conduct for transfers which should include the following:

  • A description of transfers to be covered by the code of conduct (nature of data transferred, categories of data subjects, countries);
  • A description of the data protection principles to be complied with under article 5 of GDPR, including rules on using processors or sub-processors and rules on onward transfers;
  • Accountability principle measures to be taken under the code;
  • The provision of an appropriate data protection governance through DPOs or other privacy staff in charge; 
  • The existence of a suitable training program on the obligations arising from the code;
  • The existence of a data protection audit (by either internal or external auditors) or other internal mechanism for monitoring compliance with the code;
  • Transparency measures, including easy access, in particular with respect to third party beneficiary rights;
  • The provision of data subject rights under articles 12, 13, 14, 15, 16, 17, 18, 19, 21 and 22 GDPR;
  • The creation of third-party beneficiary rights for data subjects to enforce the rules of the code as third-party beneficiaries (as well as the possibility to lodge a complaint before the competent SA and before EEA Courts); 
  • An appropriate complaint handling process for data protection rules infringements maintained by the monitoring body may be complemented with an internal procedure to the code member;
  • The mechanisms for dealing with changes to the code;
  • The consequences of withdrawal of a member from the code; 
  • A commitment for the code member and monitoring body to cooperate with EEA SAs; 
  • A commitment for the code member to accept to be subject to the jurisdiction of EEA SAs in any procedure aimed at ensuring compliance with the code of conduct and EEA Courts;
  • The criteria of selection of the monitoring body for a code intended for transfers i.e. to demonstrate that the monitoring body has the requisite level of expertise to carry out its role in an effective manner.

These guidelines are very important for all sectors of the market given the wide application of all the code of conduct could ensure the accountability to GDPR by the code owner and ensure the compliance, in particular, with the obligations for transfers of personal data and in order to provide the consistency level of protection of personal data outside EEA according to CJEU Schrems II ruling. In fact, in light of ensuring an appropriate safeguards as transfer tools, these guidelines provide a check-list of the elements to be covered by a code of conduct intended for transfers.


Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, 
with a special focus on the GDPR. 


Contact Person Picture

Flavia Terenzi


Senior Associate

+39 02 6328 841

Invia richiesta



​Discover more about our offices in Italy. Read more »
Deutschland Weltweit Search Menu