Code approval procedure
As a condition for adopting a code of conduct, a draft code of conduct must be submitted to the supervisory authority for approval. Such a draft must meet the requirements set forth in the GDPR and the Act of 10 May 2018 on the Protection of Personal Data, but also those set forth in EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679. Submission of a draft code of conduct for approval also involves payment of a stamp duty of PLN 10. The stamp duty should be paid to the appropriate account of the Śródmieście District of the City of Warsaw.
Importantly, a properly submitted draft code of conduct should include information about the carried out consultation and its outcome. The consultation must have been carried out prior to the submission of the draft code of conduct. Information on the consultation does not have to cover the entirety of the comments submitted, but only the most important conclusions of the comments, along with the reference of the code owners to the positions presented (consultation report). Consultation should be carried out as widely as possible with use of all possible channels of communication, including, for example, the website, the trade press or letters addressed directly to stakeholders and associations.
The code approval procedure consists of several stages. First, the supervisory authority carries out a review whether the submitted draft code meets the formal requirements and admissibility criteria referred to in the EDPB Guidelines. Once this preliminary review is completed, it is possible to move on to the next stage, i.e. to fully evaluate the content of the submitted draft code in light of the code approval criteria. This stage serves to clarify the content of the draft code with the code owner, allowing him/her to make possible amendments. It ends with the supervisory authority providing an opinion on the compliance of the submitted draft with the provisions of the GDPR. The final stage involves approval of the code of conduct in the form of a decision, provided that the supervisory authority considers it to be an appropriate safeguard for the proper application of the GDPR.
Approved codes of conduct are then registered by the Polish supervisory authority and the EDPB.