Main content section

UK GDPR

The UK General Data Protection Regulation

Art. 40 GDPR Section 5 - Codes of conduct and certification

Codes of conduct

The Commissioner shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium sized enterprises.
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
1. fair and transparent processing;
2. the legitimate interests pursued by controllers in specific contexts;
3. the collection of personal data;
4. the pseudonymisation of personal data;
5. the information provided to the public and to data subjects;
6. the exercise of the rights of data subjects;
7. the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
8. the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
9. the notification of personal data breaches to the Commissioner and the communication of such personal data breaches to data subjects;
10. the transfer of personal data to third countries or international organisations; or
11. out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the Commissioner.
Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the Commissioner, who shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if the Commissioner finds that it provides sufficient appropriate safeguards.
Where the draft code, or amendment or extension is approved in accordance with paragraph 5, the Commissioner shall register and publish the code.
[…]
[…]
[…]
[…]
[…]

Corresponding Recitals

98 /uk-gdpr/recital/no-98Preparation of Codes of Conduct by Organisations and Associations
99 /uk-gdpr/recital/no-99Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct

Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

View Recital

When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

View Recital

Prev. Article

View All

Further Information

This version of the UK GDPR is offered purely as what we hope will be a helpful resource. It does not have the status of law, and should not be relied on as such. Nor do we guarantee it is free from errors. It was originally prepared using a Keeling Schedule made available by the UK Government.

Since then, a consolidated version has also been made available on the legislation.gov.uk pages.

By virtue of section 3 of the European Union (Withdrawal Act) 2018, the GDPR (Regulation (EU) 2016/679) was retained in United Kingdom law as "direct EU legislation". However, the effect of the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020, was, from 1 January 2021, immediately to make changes to the retained GDPR, and to refer to it as the "UK GDPR". These pages reflect those changes.

This resource includes links to the GDPR recitals. The explanatory notes to the European Union (Withdrawal Act) 2018 confirm that where legislation is converted under section 3, it is the text of the legislation itself which will form part of domestic legislation, and this will include the full text of any EU instrument (including its recitals). Accordingly, recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a legal rule. However, it stands to reason that – as the recitals themselves have not been amended – they will in places contain language and references to EU bodies and rules which no longer apply to the UK.

In this resource we link Articles of the UK GDPR to the corresponding recitals. In deciding which recitals correspond to which Articles of UK GDPR, we have drawn on the working document of the EU GDPR which the Information Commissioner had previously published in 2017.