§ GDPR · Article 41
GDPR Article 41: Obligations, Deadlines & Penalties
At a glance
Article 41 of the GDPR imposes 8 obligations on accredited monitoring body, competent supervisory authority.
§ Obligations
All obligations under Article 41
Obligation 1
A body accredited to monitor compliance with a code of conduct must demonstrate its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
accredited monitoring body
- Action required
-
demonstrate
- Deadline
-
—
- Penalty
-
—
Obligation 2
An accredited monitoring body must establish procedures to assess the eligibility of controllers and processors to apply the code, monitor their compliance, and periodically review its operation.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
accredited monitoring body
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 3
An accredited monitoring body must establish procedures and structures to handle complaints about infringements of the code and make those procedures transparent to data subjects and the public.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
accredited monitoring body
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 4
An accredited monitoring body must demonstrate to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
accredited monitoring body
- Action required
-
demonstrate
- Deadline
-
—
- Penalty
-
—
Obligation 5
The competent supervisory authority must submit the draft criteria for accreditation of a monitoring body to the Board pursuant to the consistency mechanism referred to in Article 63.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
competent supervisory authority
- Action required
-
submit
- Deadline
-
—
- Penalty
-
—
Obligation 6
An accredited monitoring body must take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion, subject to appropriate safeguards.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
accredited monitoring body
- Action required
-
take action
- Deadline
-
—
- Penalty
-
—
Obligation 7
An accredited monitoring body must inform the competent supervisory authority of actions taken in cases of infringement and the reasons for taking them.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
accredited monitoring body
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
Obligation 8
The competent supervisory authority must revoke the accreditation of a monitoring body if the conditions for accreditation are not met or if actions taken by the body infringe the Regulation.
Regulation (EU) 2016/679, Article 41, Article 41
- Obligated entity
-
competent supervisory authority
- Action required
-
revoke
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 41
Who must comply with Article 41 of the GDPR?
+
accredited monitoring body, competent supervisory authority.
What does Article 41 of the GDPR require?
+
demonstrate establish submit