According to Article 40.1 of the GDPR, the national supervisory authorities in the European Economic Area shall “encourage the drawing up of codes of conduct intended to contribute to the proper application” of the GDPR. A prerequisite for codes of conduct to be prepared by Swedish associations and bodies, which represent categories of personal data controllers or processors, is that the Swedish Data Protection Authority (IMY), pursuant to Art. 41 GDPR, establishes the requirements that shall apply to their accreditation bodies – so-called supervisory bodies – which must monitor that the members of the code of conduct comply with the provisions of the code.

IMY drafted accreditation requirements and provided them to the European Data Protection Board (EDPB) in 2022. The EDPB issued a statement on July 11, 2023 recommending certain changes to the draft requirements. IMY considered the recommendations and submitted a new version to the EDPB. The EDPB confirmed receipt of the same and has now closed the file. IMY therefore issued a decision on applicable accreditation requirements (see here, in Swedish only).

In summary, to obtain accreditation, a body must meet requirements in the following areas:

  • independence;
  • conflicts of interests;
  • expertise;
  • proceedings and structures;
  • handling of complaints;
  • communication with the supervisory authority (IMY);
  • mechanisms for oversight of the code of conduct;
  • legal standing; and
  • sub-contractors


While obtaining accreditation and establishing codes of conduct may involve complex assessments and considerations, implementing codes of conduct may decrease the costs of GDPR compliance for organizations. In addition, codes of conduct enable trade associations and other interest groups to assess which considerations and technical and organizational security measures are of specific relevance to their sector.