GDPR codes of conduct & certification schemes
The approved organisational instruments under the GDPR — certification schemes under Article 42 and codes of conduct under Article 40 — for the UK (ICO-approved) and the EU (EDPB-adopted). These are schemes an organisation's processing can be certified against or a code it can sign up to; they are not individual qualifications. UK-first, with a link to each official register.
Article 40 vs Article 42 — the difference in a nutshell
Both are accountability tools that let an organisation demonstrate GDPR compliance, and both can act as a safeguard for restricted international transfers — but they work differently.
| Certification schemes — Art. 42 | Codes of conduct — Art. 40 | |
|---|---|---|
| What it is | Criteria against which an organisation's specific processing is certified. | A sector code of good practice that member organisations commit to follow. |
| Who approves | Supervisory authority (or EDPB, for an EU-wide seal) approves the criteria. | Supervisory authority approves the code. |
| Who checks compliance | An accredited certification body issues certification (valid up to 3 years). | An accredited monitoring body (Art. 41) oversees members. |
| Transfer safeguard | Can be a transfer tool under Art. 46(2)(f). | Can be a transfer tool under Art. 46(2)(e). |
UK and EU are separate regimes: UK-approved instruments are approved by the ICO under UK GDPR; EU-approved ones by an EU supervisory authority or the EDPB. An approval under one regime does not automatically carry across to the other.
Certification schemes (Art. 42) — UK, ICO-approved
-
ADISA ICT Asset Recovery Certification 8.0
ICO-approved criteria (ICO-CSC/003–004) · owner: ADISA Certification Ltd · approved 2021What it covers: Data protection requirements for processors and sub-processors providing IT-asset disposal and data-sanitisation services — securely removing data from hardware such as hard drives and photocopiers before reuse or disposal.
-
Age Appropriate Design Certification Scheme (AADCS)
ICO-approved criteria (ICO-CSC/002) · body: Age Check Certification Scheme LtdWhat it covers: Children's online privacy and the design of information society services, aligned to the ICO's Children's Code (Age Appropriate Design Code).
-
Age Check Certification Scheme (ACCS)
ICO-approved criteria (ICO-CSC/001) · the first ICO-approved UK GDPR criteriaWhat it covers: Age assurance and age verification — the first set of criteria the ICO approved under UK GDPR.
-
Legal Services Operational Privacy Certification Scheme (LOCS:23)
ICO-approved criteria (ICO-CSC/006) · owner: 2twenty4 Consulting LtdWhat it covers: Data protection in the legal-services sector, for organisations acting as controllers and processors handling legal-matter data.
-
UK GDPR Compliance Certification Scheme for the Provision of Training and Qualifications Services
ICO-approved criteria (ICO-CSC/005)What it covers: The handling of learner and candidate data by organisations providing training and qualifications services.
Certification schemes (Art. 42) — EU, EDPB-adopted
-
Europrivacy — European Data Protection Seal
Managed by the European Centre for Certification and Privacy (ECCP), Luxembourg · EUWhat it covers: A general-purpose GDPR certification scheme and the first to be adopted by the EDPB as the official European Data Protection Seal (EDPB Opinion 28/2022). In April 2026 the EDPB issued further opinions updating the scheme's criteria and extending its scope — including to non-EEA organisations caught by Art. 3(2) — and recognising it as a tool for restricted international transfers under Articles 42 and 46.
Note: The individual Europrivacy Implementer and Auditor credentials sit in our Certifications directory.
Codes of conduct (Art. 40) — UK, ICO-approved
-
ABI UK GDPR Code of Conduct for Investigative & Litigation Support Services
ICO-approved code (ICO-CC/001) · owner: Association of British Investigators · approved 15 October 2024What it covers: The first ICO-approved UK GDPR code of conduct. It helps members providing investigative and litigation-support services demonstrate compliance — covering controller/processor roles, DPIAs, lawful basis, legitimate-interests assessments and consent to share when tracing and locating individuals.
Codes of conduct (Art. 40) — EU, transnational
-
EU Cloud Code of Conduct (EU Cloud CoC)
Approved by the Belgian DPA (20 May 2021) · monitoring body: SCOPE Europe · EUWhat it covers: An Article 40 code for cloud service providers acting as processors under Article 28, covering the full cloud stack (IaaS, PaaS and SaaS).
-
CISPE Data Protection Code of Conduct
Approved by the CNIL (France) · EUWhat it covers: An Article 40 code for cloud infrastructure (IaaS) providers, developed by CISPE and approved by the French supervisory authority.
Reach privacy & data protection professionals researching the schemes and codes that shape accountability. Sponsorship enquiries.
