Another code of conduct initiative
Representatives of the Association of Financial Enterprises met with experts from the Personal Data Protection Office regarding the initiative to create a code of conduct for the debt‑management sector.
During the meeting, issues such as the purpose of developing the code, the number and nature of the entities it would cover, as well as the entity submitting and preparing the document, were discussed. In the course of the discussion, it was noted that a code approved by the President of the Personal Data Protection Office becomes a set of instructions for controllers or processors who design and implement GDPR‑compliant data‑processing activities, giving operational meaning to the data‑protection principles laid down in European and national law. A code is a document taken into account by the supervisory authority in proceedings (e.g. complaint or inspection proceedings) concerning entities that are its members. For this reason, it is essential that the code contains concrete examples, practical solutions and is not abstract.
During the discussion, Monika Krasińska, Director of the Department of Law and New Technologies at the Personal Data Protection Office, stressed that the idea of developing a code of conduct for organisations involved in debt management appears fully necessary and justified. She also drew attention to a common problem that arises among organisations wishing to create a code, namely the belief that a code is essentially a catalogue repeating, in a slightly different form, the provisions of the General Data Protection Regulation 2016/679 (GDPR), whereas it is a completely different type of document. A code is based on the GDPR, but it also draws on the experience of organisations, practices, the specific nature of the sector, and above all must comply with the European Data Protection Board’s Guidelines 1/2019, which clarify the rules for developing such codes, and must appropriately take into account other EDPB positions, court rulings and legal provisions applicable to the given sector.
Monika Krasińska also emphasised that at every stage of developing a code, the Personal Data Protection Office provides guidance on how to structure it, but does not participate directly in the process of drafting it. The Office is open to meetings and discussions on the issues addressed in the code, but the final decision regarding its scope and content rests with the code’s creators.
Marcin Czugan, President of the Management Board of the Association of Financial Enterprises, explained that the sector he represents needs a code of conduct because the scope of activities of organisations involved in debt management has in recent years increasingly encompassed personal data protection, primarily due to the development of digital tools and methods of information exchange. It is also important that the Association cooperates with numerous external entities (such as law firms), which also process data – data that is extremely important for the privacy of individuals, as it concerns financial obligations.
As the experts from the Personal Data Protection Office pointed out, the foundation of any code is the obligation to regulate the issues of collecting, storing, using and sharing data (and the best way to do this is on the basis of the record of processing activities).
The meeting also included a detailed discussion of the role of the monitoring body for the code. As explained, this is often an institution that already has experience in the field of personal data protection, but the monitoring body may also be an internal unit operating within the organisational structure of the code’s creator. However, both an external and an internal monitoring body must demonstrate their independence in terms of impartiality from the members who have committed to applying the code, as well as from representatives of the profession, sector or industry to which the code applies.
Another process that must accompany the development of a code is public consultation – both with future members of the code and with data subjects whose data will be processed under the code. The report from the consultation is submitted to the President of the Personal Data Protection Office together with the draft code and the application for its approval.
To date, the President of the Personal Data Protection Office has approved three codes of conduct.