HomeKnowledge Hub › Codes & Certification Schemes

Knowledge Hub

GDPR codes of conduct & certification schemes

The approved organisational instruments under the GDPR — certification schemes under Article 42 and codes of conduct under Article 40 — for the UK (ICO-approved) and the EU (EDPB-adopted). These are schemes an organisation's processing can be certified against or a code it can sign up to; they are not individual qualifications. UK-first, with a link to each official register.

Compiled & maintained by VulaPri Limited, a UK privacy consultancy · Last verified 5 July 2026

Article 40 vs Article 42 — the difference in a nutshell

Both are accountability tools that let an organisation demonstrate GDPR compliance, and both can act as a safeguard for restricted international transfers — but they work differently.

 Certification schemes — Art. 42Codes of conduct — Art. 40
What it isCriteria against which an organisation's specific processing is certified.A sector code of good practice that member organisations commit to follow.
Who approvesSupervisory authority (or EDPB, for an EU-wide seal) approves the criteria.Supervisory authority approves the code.
Who checks complianceAn accredited certification body issues certification (valid up to 3 years).An accredited monitoring body (Art. 41) oversees members.
Transfer safeguardCan be a transfer tool under Art. 46(2)(f).Can be a transfer tool under Art. 46(2)(e).

UK and EU are separate regimes: UK-approved instruments are approved by the ICO under UK GDPR; EU-approved ones by an EU supervisory authority or the EDPB. An approval under one regime does not automatically carry across to the other.

Live caveat. ICO-register entries currently carry the ICO's notice that, following the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025), the approved criteria and codes remain valid but are under review and may change. Confirm current status on the ICO register before relying on any entry.

Certification schemes (Art. 42) — UK, ICO-approved

  • ADISA ICT Asset Recovery Certification 8.0

    ICO-approved criteria (ICO-CSC/003–004) · owner: ADISA Certification Ltd · approved 2021

    What it covers: Data protection requirements for processors and sub-processors providing IT-asset disposal and data-sanitisation services — securely removing data from hardware such as hard drives and photocopiers before reuse or disposal.

    View on the ICO register →

  • Age Appropriate Design Certification Scheme (AADCS)

    ICO-approved criteria (ICO-CSC/002) · body: Age Check Certification Scheme Ltd

    What it covers: Children's online privacy and the design of information society services, aligned to the ICO's Children's Code (Age Appropriate Design Code).

    View on the ICO register →

  • Age Check Certification Scheme (ACCS)

    ICO-approved criteria (ICO-CSC/001) · the first ICO-approved UK GDPR criteria

    What it covers: Age assurance and age verification — the first set of criteria the ICO approved under UK GDPR.

    View on the ICO register →

  • Legal Services Operational Privacy Certification Scheme (LOCS:23)

    ICO-approved criteria (ICO-CSC/006) · owner: 2twenty4 Consulting Ltd

    What it covers: Data protection in the legal-services sector, for organisations acting as controllers and processors handling legal-matter data.

    View on the ICO register →

  • UK GDPR Compliance Certification Scheme for the Provision of Training and Qualifications Services

    ICO-approved criteria (ICO-CSC/005)

    What it covers: The handling of learner and candidate data by organisations providing training and qualifications services.

    View on the ICO register →

Certification schemes (Art. 42) — EU, EDPB-adopted

  • Europrivacy — European Data Protection Seal

    Managed by the European Centre for Certification and Privacy (ECCP), Luxembourg · EU

    What it covers: A general-purpose GDPR certification scheme and the first to be adopted by the EDPB as the official European Data Protection Seal (EDPB Opinion 28/2022). In April 2026 the EDPB issued further opinions updating the scheme's criteria and extending its scope — including to non-EEA organisations caught by Art. 3(2) — and recognising it as a tool for restricted international transfers under Articles 42 and 46.

    Note: The individual Europrivacy Implementer and Auditor credentials sit in our Certifications directory.

    Visit the Europrivacy site →

Codes of conduct (Art. 40) — UK, ICO-approved

  • ABI UK GDPR Code of Conduct for Investigative & Litigation Support Services

    ICO-approved code (ICO-CC/001) · owner: Association of British Investigators · approved 15 October 2024

    What it covers: The first ICO-approved UK GDPR code of conduct. It helps members providing investigative and litigation-support services demonstrate compliance — covering controller/processor roles, DPIAs, lawful basis, legitimate-interests assessments and consent to share when tracing and locating individuals.

    View on the ICO register →

Codes of conduct (Art. 40) — EU, transnational

  • EU Cloud Code of Conduct (EU Cloud CoC)

    Approved by the Belgian DPA (20 May 2021) · monitoring body: SCOPE Europe · EU

    What it covers: An Article 40 code for cloud service providers acting as processors under Article 28, covering the full cloud stack (IaaS, PaaS and SaaS).

    Visit the EU Cloud CoC site →

  • CISPE Data Protection Code of Conduct

    Approved by the CNIL (France) · EU

    What it covers: An Article 40 code for cloud infrastructure (IaaS) providers, developed by CISPE and approved by the French supervisory authority.

    Visit the CISPE code site →

This directory is curated for authority over volume and expanding. Think a scheme or code is missing, or spot a detail to fix? Flag it for the curation team — curated lists take tip-offs, not self-listings. Listing is not an endorsement, and general reference only, not legal advice — confirm current status on the ICO or EDPB register.