Skip to content
AuditFront
Art.40 GDPR

GDPR Art.40: Codes of Conduct

What This Control Requires

The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

In Plain Language

Codes of conduct translate the GDPR's broad requirements into concrete, sector-specific practices. They are voluntary frameworks developed by industry bodies or trade associations that show organisations in a particular sector exactly how to comply. For smaller organisations especially, they offer a practical shortcut to demonstrating that you are doing the right things.

Adhering to an approved code carries real weight. It counts as evidence of compliance under the accountability principle (Article 24), helps demonstrate that your security measures are appropriate, can serve as a transfer mechanism for sending data to third countries (Article 46), and is explicitly listed as a mitigating factor when supervisory authorities consider fines.

For a code to be approved, it must go through the competent supervisory authority (and the EDPB consistency mechanism if it covers multiple Member States). Approved codes must include mandatory compliance monitoring by an accredited body - this is not a self-certification exercise.

How to Implement

Check whether any approved codes of conduct exist for your sector or processing activities. Look at your national supervisory authority's register, the EDPB, and relevant industry associations. If a code exists and fits your processing, joining can materially strengthen your compliance position.

If you decide to adhere to an approved code, implement every requirement it specifies. That typically means adopting the technical and organisational measures the code defines, following its guidance on handling data subject rights, applying its standards for data processing agreements and international transfers, participating in its monitoring and enforcement mechanisms, and maintaining documentation of your adherence.

If there is no relevant code for your sector, consider whether developing one would be worthwhile. Talk to industry associations, trade bodies, and peers. A sector-wide code can give smaller organisations a clear compliance path, build trust with regulators and data subjects, and create a competitive advantage for the industry.

Once you are in, stay current. Participate in monitoring activities, respond to compliance assessments from the monitoring body, fix any non-conformities promptly, and track amendments or updates to the code. Keep records of your adherence for accountability.

Leverage your code adherence across your compliance programme. Reference it in privacy notices, data processing agreements, and communications with regulators. Cite it in DPIAs as evidence of appropriate measures. It is a tangible signal that your organisation takes data protection seriously.

Evidence Your Auditor Will Request

  • Assessment of available approved codes of conduct relevant to your sector
  • Evidence of adherence to applicable code of conduct requirements
  • Participation records in code monitoring and compliance assessment mechanisms
  • Documentation of code adherence referenced in privacy communications and agreements
  • Records of addressing any non-conformities identified through code monitoring

Common Mistakes

  • Claiming adherence to a code of conduct without actually implementing all its requirements
  • Not participating in the mandatory monitoring mechanisms associated with the code
  • Failing to keep up with amendments or updates to the code of conduct
  • Using code adherence as a substitute for individual compliance assessment rather than a complement
  • Not considering available codes of conduct when developing compliance strategies

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.36 Related

Frequently Asked Questions

Is adhering to a code of conduct mandatory?
No, it is entirely voluntary. But the benefits are significant: stronger evidence of compliance, potential fine mitigation, and a simpler way to demonstrate appropriate measures. If an approved code exists for your sector, adhering to it is strongly recommended - it represents recognised best practice.
Does adherence to a code of conduct guarantee GDPR compliance?
It does not. A code is one piece of the puzzle, not the whole picture. You still need to meet all applicable GDPR requirements, including any that the code does not cover. Think of it as a strong foundation that complements - but does not replace - a comprehensive compliance programme.
Can adherence to a code of conduct reduce fines?
Yes. Article 83(2)(j) explicitly lists adherence to approved codes as a factor supervisory authorities must consider when setting fines. It acts as a mitigating factor, showing that your organisation made a genuine effort to comply. It will not make a fine disappear, but it can meaningfully reduce it.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment