The European Association of Co-operative Banks (EACB) welcomes the opportunity to provide the European Data Protection Board (EDPB) with its comments on the draft Guidelines on Codes of Conduct and Monitoring Bodies under the General Data Protection Regulation (GDPR) adopted in February this year.
EACB members would like to raise the attention to the topic of the ‘Accreditation requirements for monitoring bodies’. We believe that in the case when an internal monitoring body is proposed, banks should be able to make use of their existing Three Lines of Defence model, or part of it, as ‘monitoring body’ required in the GDPR. As banks use the ‘Three Lines of Defence’ model, they have already functions that are independent from other areas and business lines of the organisation.
It is our understating that this possibility is sufficient to fulfil the requirement of ‘separate staff and management, accountability and function from other areas of the organisation’ and would welcome a reference to this example in the final Guidelines.