European Union: EDPB adopts guidelines on codes of conduct for data transfers

On 22 February 2022, the European Data Protection Board (EDPB) adopted the second version of the guidelines 04/2021 on Codes of Conduct as tools for transfers, following a public consultation on the first version published on 7 July 2021. The guidelines outline the conditions for transferring personal data to countries outside the European Union (EU) based on a code of conduct. Furthermore, it provides clarifications regarding the role of the actors involved in the development of a code of conduct. The General Data Protection Regulation (GDPR) allows industry associations to create a code of conduct that consists of specific rules for a certain industry sector but the European Commission has to declare it generally applicable. The code of conduct that was validated by the Commission can be used by controllers, processors and companies that are not subject to the GDPR to ensure that the necessary safeguards are in place to protect the data transferred to a third country.