With the publication in Official Gazette No. 278 on November 27, 2024, of the decision by the Data Protection Authority dated October 17, 2024, the “Code of Conduct for the Processing of Personal Data by Companies Developing and Producing Management Software” (the “Code”) has been officially approved. This measure marks a significant step forward in implementing high compliance standards within the digital innovation sector. The Code aligns with the regulatory framework outlined in Article 40 of Regulation (EU) 2016/679 (“GDPR”), which encourages the development of codes of conduct to support the proper application of privacy regulations, taking into account the specific characteristics of different processing sectors and the unique needs of micro, small, and medium-sized enterprises.
Scope and purpose
The Code applies to companies involved in the design, development, production, and support of management software, including maintenance and updates.
This regulation addresses the growing need to standardize personal data processing practices in the sector, with a strong emphasis on the principles of privacy by design and privacy by default.
The primary goal is to ensure that products and services are developed to meet high data protection standards from the design phase, effectively supporting data controllers in achieving GDPR compliance.
Key features
The Code introduces several significant provisions, including:
- privacy by design and by default: Software Houses (SWHs) are required to implement appropriate technical and organizational measures from the design phase to proactively ensure compliance with data protection regulations
- clear definition of SWH roles: The Code formalizes the role of software houses as data processors or sub-processors, particularly for maintenance and support activities in both on-premise and cloud environments
- standardized contractual relationships: A model agreement under Article 28 GDPR is introduced to systematically govern the relationship between SWHs and their clients regarding data processing activities
- establishment of a Monitoring Body (OdM): An accredited body will be created to oversee adherence to the Code, ensuring consistent and qualified supervision of compliance practices.
Operational impact
For companies producing management software, adherence to the Code serves as a strategic tool for accountability, enhancing trust among clients and end-users. The provided operational tools, such as practical guidelines and standardized contract templates, offer invaluable support, particularly for SMEs, which often lack the technical resources to ensure full GDPR compliance.
From the perspective of end-users, the Code ensures greater transparency and consistency in data management, allowing them to rely on technology partners that implement advanced security measures according to shared and verified standards.
Future outlook
The entry into force of the Code introduces a series of concrete actions for software houses wishing to adhere to it. Specifically:
- a preliminary gap analysis will be necessary to assess compliance with the Code’s requirements, with particular focus on the technical and organizational measures outlined in Annexes A and B.
- existing contract models will need to be reviewed to align with the Article 28 GDPR agreement framework stipulated by the Code
- internal procedures for managing security incidents and requests for data subject rights must be developed or updated
- staff training on the new procedures and Code requirements will need to be planned.
It is important to note that adherence to the Code is voluntary and does not have a set deadline for submitting applications. However, since compliance with the Code will increasingly be a qualifying requirement in the selection process for management software providers, it is advisable for software houses to promptly begin evaluating their requirements and adjusting procedures and tools. This will enable them to apply for adherence as soon as the Monitoring Body becomes fully operational.