According to Article 40.1 of the GDPR, the national supervisory authorities in the European Economic Area shall “encourage the drawing up of codes of conduct intended to contribute to the proper application” of the GDPR. A prerequisite for codes of conduct to be prepared by Swedish associations and bodies, which represent categories of personal data controllers or processors, is that the Swedish Data Protection Authority (IMY), pursuant to Art. 41 GDPR, establishes the requirements that shall apply to their accreditation bodies – so-called supervisory bodies – which must monitor that the members of the code of conduct comply with the provisions of the code.

IMY drafted accreditation requirements and provided them to the European Data Protection Board (EDPB) in 2022. The EDPB issued a statement on July 11, 2023 recommending certain changes to the draft requirements. IMY considered the recommendations and submitted a new version to the EDPB. The EDPB confirmed receipt of the same and has now closed the file. IMY therefore issued a decision on applicable accreditation requirements (see here, in Swedish only).

In summary, to obtain accreditation, a body must meet requirements in the following areas:

  • independence;
  • conflicts of interests;
  • expertise;
  • proceedings and structures;
  • handling of complaints;
  • communication with the supervisory authority (IMY);
  • mechanisms for oversight of the code of conduct;
  • legal standing; and
  • sub-contractors


While obtaining accreditation and establishing codes of conduct may involve complex assessments and considerations, implementing codes of conduct may decrease the costs of GDPR compliance for organizations. In addition, codes of conduct enable trade associations and other interest groups to assess which considerations and technical and organizational security measures are of specific relevance to their sector.


Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.


William Höglund is a member of Baker McKenzie’s Intellectual Property and Data & Technology Practice Group in Stockholm. William focuses his practice mainly on intellectual property, IT and privacy law.


Margarita advises Swedish and international clients on a range of employment and data protection matters.


Peder Oxhammar is Head of Baker McKenzie’s Intellectual Property Group in Stockholm. Mr. Oxhammar practices mainly within the field of intellectual property with special focus on patents, contentious matters, strategy and licensing. He advises clients in a wide range of industries in Sweden, including pharmaceuticals, white-goods, electronics, and defense.