Art.41 GDPR

GDPR Art.41: Monitoring of Approved Codes of Conduct

What This Control Requires

Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

In Plain Language

A code of conduct is only as good as its enforcement. Article 41 ensures that approved codes have teeth by requiring structured monitoring through an accredited body. Organisations cannot simply claim they follow a code - someone independent checks that they actually do.

The monitoring body sits between the supervisory authority and the organisations adhering to the code. It assesses whether members genuinely meet the requirements, investigates complaints, takes action against organisations that fall short (including suspension or exclusion), and reports back to the supervisory authority. Its independence and subject-matter expertise are what give the code credibility.

To be accredited, a monitoring body must demonstrate relevant expertise, have clear procedures for assessing adherence, handle complaints effectively, and operate free from conflicts of interest. For codes with cross-border reach, the EDPB gets involved through the consistency mechanism.

How to Implement

If your organisation adheres to an approved code, get familiar with the monitoring requirements. Review the code's monitoring provisions, identify the accredited monitoring body, understand the assessment schedule and methodology, and keep your adherence documentation current and audit-ready.

Cooperate fully with assessments. Provide requested documentation promptly, make relevant staff available for interviews, grant access to systems and premises as needed, and respond to findings within the required timeframes. Treat these assessments as a chance to validate your compliance, not as an adversarial exercise.

Keep organised records that prove ongoing adherence. This covers documentation of implemented measures, evidence of policy compliance, training records, audit results, and corrective actions. These records need to be accessible at short notice when the monitoring body comes calling.

Fix non-conformities quickly. Develop corrective action plans with clear owners and deadlines, and keep the monitoring body informed of your progress. Serious or persistent non-conformities can lead to suspension or exclusion from the code, which carries both reputational damage and compliance consequences.

If you are involved in developing a new code for your sector, design robust monitoring provisions from day one. The framework needs to be effective, proportionate, and sustainable. Engage with the supervisory authority early to understand what accreditation looks like, and make sure the monitoring body will have genuine independence and enough resources to do the job properly.

Evidence Your Auditor Will Request

Documentation of accredited monitoring body and its assessment schedule
Records of monitoring body assessments and your organisation's results
Corrective action plans and evidence of remediation for any identified non-conformities
Internal compliance records maintained for monitoring body review
Communication records with the monitoring body

Common Mistakes

Insufficient cooperation with monitoring body assessments
Failure to address non-conformities identified through monitoring
Code adherence claimed without participation in mandatory monitoring
Documentation of compliance not maintained in a state ready for monitoring review
Monitoring body lacking genuine independence or adequate resources

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.36	Related

Frequently Asked Questions

What happens if the monitoring body finds we are not complying with the code?

They can require corrective measures within a set timeframe, suspend your participation, or ultimately exclude you from the code. Exclusion gets reported to the supervisory authority. The severity of the consequences depends on how serious and persistent the non-compliance is.

How is the monitoring body different from the supervisory authority?

The monitoring body focuses narrowly on assessing adherence to the code itself. The supervisory authority has much broader GDPR enforcement powers and retains full jurisdiction regardless. Think of the monitoring body as a specialist layer - it reports to the supervisory authority and can refer serious matters up, but it does not replace the regulator.

Can we choose our own monitoring body?

No. The monitoring body must be accredited by the competent supervisory authority. Each approved code designates specific accredited bodies, and you participate in whatever monitoring arrangements the code specifies.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment