Skip to content

On August 27, 2020 the Dutch Data Protection Authority (Dutch DPA) announced that it approved the first ‘code of conduct’ in the Netherlands, the Data Pro Code. The Data Pro Code was drafted by NL Digital, the Dutch industry association for organizations in the ICT sector in the Netherlands.

What is a ‘Code of Conduct’?

Under the EU General Data Protection Regulation (GDPR), organizations must implement ‘appropriate measures’ on an organizational, technical, and legal level and be able to demonstrate their compliance with the GDPR. In order to help companies from particular sectors with this obligation, GDPR allows associations and other bodies representing categories of controllers or processors to prepare codes of conduct that specify what data controllers and processors need to do in order to be GDPR compliant.

By means of best practice, such codes of conduct clarify the obligations of controllers and processors, thereby taking into account the risk likely to result from the processing for the rights and freedoms of natural persons. Once drafted, the codes must be approved by the relevant national data protection authority.

Why apply ‘Codes of Conduct’?

Companies that apply codes of conduct may thereby ensure that they conform with the GDPR effectively. In addition, the adherence to codes of conduct means that the company follows GDPR requirements in a manner that is considered as good practice within the sector.

What does the Data Pro Code entail?

The Data Pro Code focuses on the ICT sector in the Netherlands and provides further explanation of data processors’ obligations under the GDPR. In particular, the code offers the relevant Dutch processors practical information about open standards from the GDPR.

An important element is compliance with GDPR information obligations which require a data processor to inform its customer (the data controller) about its security measures. Such information must be provided in a way which allows the customer to assess whether the measures are sufficient, given the intended use of the service or product by the customer.

Data processors which apply the Data Pro Code may comply with this obligation by completing a Data Pro Statement which is then made part of the data processing agreement between the processor and the customer. The data processor thereby informs its customer (i) how it has implemented the GDPR’s security measures, (ii) what certification it holds and (iii) how it is processing the customer’s data (incl. duration, possible ways of deletion and retention period).

Supervision of the Data Pro Code

Compliance with the Data Pro Code is supervised by an independent body, the Data Pro Supervisor. A data processor who wishes to apply the Data Pro Code must accept an independent assessment of its activities. In addition, the processor can be certified as an adherer to the Data Pro Code and be included in a Data Pro Code Register, which is managed by the Data Pro Supervisor. This enables potential customers to view the code membership and ensures that the processor’s compliance with the GDPR is monitored by the Data Pro Supervisor. This monitoring, in turn provides assurance that the code of conduct can be trusted.

Next steps

Currently, the criteria that the Data Pro Supervisor must meet are submitted to the European Data Protection Board for advice. The Dutch DPA expects a definite answer within the course of this year.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Greenberg Traurig Greenberg Traurig

Willeke Kemkers is a member of the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also

Willeke Kemkers is a member of the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border transfers of data, privacy policies and data breaches. With respect to the coming into force of the GDPR, Willeke prepared clients from many different industries (transport, medical, legal) to be GDPR compliant.

Willeke also has experience with drafting and reviewing of IT contracts including hosting (cloud), outsourcing (SaaS, Iaas and Paas) and IT development contracts.

Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.

Prior to joining the firm, Carsten worked at Olswang for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Photo of Dr. Viola Bensinger Dr. Viola Bensinger

Viola Bensinger is Global Co-Chair of the Greenberg Traurig’s IP & Technology Practice Group and the Global Data Privacy & Cybersecurity Practice, and also chairs the Technology Practice in Germany. She advises clients from the technology, media, health care, automotive and other industries.