Ch 13.2 - Self-regulation

Self-regulation: accountability, DPOs, codes and certification

Self-regulation is arguably the most effective tool because controllers and processors directly control the measures protecting data. The GDPR advances it through the accountability principle (Article 5(2)), mandatory data protection officer|DPOs (Articles 37–39), codes of conduct and certification schemes (Articles 40–43), and controller-over-processor regulation (Article 28). The DPO looks like a quasi-regulator - focused only on compliance, immune from dismissal, and an effective extension of the DPA.

Self-regulation works because the regulated entity directly controls the processes and measures protecting data. The GDPR's accountability framework in Chapter 4 makes controllers identify their risks, set positions to address them, and supervise and enforce through business-as-usual activity - much like the tasks DPAs perform under Article 58.

Accountability under Article 5(2) - demonstrable compliance through risk management
Article 28 - controllers supervise processors; processors cascade to subprocessors under Article 28(4)
Articles 33 and 34 - breach notification acts as a deterrent and a remediation trigger
Article 35 - DPIAs, with explicit DPA references and prior consultation under Article 36
Data protection officer|DPOs under Articles 37–39 - formalised and mandated for the first time

Codes of conduct vs certification (seals and marks)
Feature	Codes of conduct (Arts 40–41)	Certification / seals and marks (Arts 42–43)
Who creates / issues	Representative bodies (e.g. industry associations) draw up codes	Certification bodies issue seals and marks
Approval / accreditation	DPA approves the draft code (Art 40(5)); monitoring body accredited under Art 41	Certification bodies accredited by the DPA or national accreditation body (Art 43(1))
Compliance check	Monitoring body must independently monitor adherence and handle complaints (Art 41)	Certification body has procedures to issue, review and revoke; must handle complaints (Art 43(2))
Fines for breach	Breaching a code: Article 83(4)(c); monitoring body breach: Art 41(4)	Breaching certification: Article 83(4)(b)
Loss of status	DPA can revoke the monitoring body's accreditation (Art 41(5))	DPA can revoke a certification body's accreditation (Art 43(7))
Consistency mechanism	Applies where the code is 'transnational' (affects ≥2 member states), via Art 63	Applies in appropriate cases via Art 63

The DPO as quasi-regulator

The DPO is focused only on compliance, is immune from dismissal, and has a duty of cooperation with the DPA - making them effectively an extension of the regulator rather than an ordinary employee.

Key terms - quick answers

What is “Accountability”?

The Article 5(2) obligation requiring the controller to be able to demonstrate compliance with the data protection principles.

What is “Data protection officer”?

A compliance-focused role, mandated for the first time by the GDPR (Arts 37–39), immune from dismissal and acting as a quasi-regulator within the organisation.

What is “Codes of conduct”?

Self-regulatory rules drawn up by representative bodies (Art 40) for compliance, with a monitoring body (Art 41) checking adherence.

What is “Certification”?

Data protection seals and marks (Arts 42–43) issued by accredited certification bodies to demonstrate compliance.

← Introduction: the toolkit of supervision and enforcement Regulation by the citizen: rights, remedies, representation and compensation →