Part 5Data protection and privacy

Chapter 2Privacy and electronic communications

116Codes of conduct

(1)

The PEC Regulations are amended as follows.

(2)

After regulation 32 insert—

“Codes of conduct32A.

(1)

The Commissioner must encourage representative bodies to produce codes of conduct intended to contribute to compliance with these Regulations.

(2)

Under paragraph (1), the Commissioner must encourage representative bodies to produce codes which take account of, among other things, the specific features of different sectors.

(3)

A code of conduct described in paragraph (1) may, for example, make provision with regard to—

(a)

rights and obligations under these Regulations;

(b)

out-of-court proceedings and other dispute resolution procedures for resolving disputes arising in connection with these Regulations.

(4)

The Commissioner must encourage representative bodies to submit codes of conduct described in paragraph (1) to the Commissioner in draft.

(5)

Where a representative body does so, the Commissioner must—

(a)

provide the representative body with an opinion on whether the code correctly reflects the requirements of these Regulations,

(b)

decide whether to approve the code, and

(c)

if the code is approved, register and publish the code.

(6)

The Commissioner may only approve a code if, among other things—

(a)

the code contains a mechanism for monitoring whether persons who undertake to apply the code comply with its provisions, and

(b)

in relation to persons other than public bodies, the mechanism involves monitoring by a body which is accredited for that purpose by the Commissioner under regulation 32B.

(7)

In relation to amendments of a code of conduct that is for the time being approved under this regulation—

(a)

paragraphs (4) and (5) apply as they apply in relation to a code, and

(b)

the requirements in paragraph (6) must be satisfied by the code as amended.

(8)

A code of conduct described in paragraph (1) may be contained in the same document as a code of conduct described in Article 40 of the UK GDPR (and a provision contained in such a document may be a provision of both codes).

(9)

In this regulation—

public body” has the meaning given in section 7 of the Data Protection Act 2018 (for the purposes of the UK GDPR);

representative body” means an association or other body representing categories of—

(a)

communications providers, or

(b)

other persons engaged in activities regulated by these Regulations;

the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.

Accreditation of bodies monitoring compliance with codes of conduct32B.

(1)

The Commissioner may, in accordance with this regulation, accredit a body for the purpose of monitoring whether persons other than public bodies comply with a code of conduct described in regulation 32A(1).

(2)

The Commissioner may accredit a body only where the Commissioner is satisfied that the body has—

(a)

demonstrated its independence,

(b)

demonstrated that it has an appropriate level of expertise in relation to the subject matter of the code,

(c)

established procedures which allow it—

(i)

to assess a person’s eligibility to apply the code,

(ii)

to monitor compliance with the code, and

(iii)

to review the operation of the code periodically,

(d)

established procedures and structures to handle complaints about infringements of the code or about the manner in which the code has been, or is being, implemented by a person,

(e)

made arrangements to publish information about the procedures and structures described in sub-paragraph (d), and

(f)

demonstrated that it does not have a conflict of interest.

(3)

The Commissioner must prepare and publish guidance about how the Commissioner proposes to take decisions about accreditation under this regulation.

(4)

A body accredited under this regulation in relation to a code must take appropriate action where a person infringes the code.

(5)

If the action taken by a body under paragraph (4) consists of suspending or excluding a person from the code, the body must inform the Commissioner, giving reasons for taking that action.

(6)

The Commissioner must revoke the accreditation of a body under this regulation if the Commissioner considers that the body—

(a)

no longer meets the requirements for accreditation, or

(b)

has failed, or is failing, to comply with paragraph (4) or (5).

(7)

In this regulation, “public body” has the same meaning as in regulation 32A.

Effect of codes of conduct32C.

Adherence to a code of conduct approved under regulation 32A may be used by a person as a means of demonstrating compliance with these Regulations.”

(3)

In regulation 33 (technical advice to the Commissioner)—

(a)

omit “, in connection with his enforcement functions,” and

(b)

at the end insert “where the request is made in connection with—

(a)

the Commissioner’s enforcement functions, or

(b)

the Commissioner’s functions under regulation 32A or 32B (codes of conduct).”

(4)

In Schedule 1 (Commissioner’s enforcement powers) (inserted by Schedule 13 to this Act), in paragraph 18(b)(ii) (maximum amount of penalty), for “or 24” substitute “, 24 or 32B(4) or (5)”.