Code of Conduct on Data Protection for Research (GDPR Article 40)

European Union

v2022

6 domains

20 controls

Represents the GDPR Article 40 code-of-conduct mechanism applied to the scientific-research sector. There is no single EDPB-approved transnational research code; the controls capture what such a code must contain under GDPR Articles 40 (codes of conduct), 41 (accredited monitoring bodies) and 89 (safeguards and derogations for scientific research), informed by EDPB guidance. Sectoral codes exist (e.g. clinical-research and biobanking codes).

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

Art.40 Research Code: Data Subject Rights and Transparency

1 controls

Controls in the Art.40 Research Code: Data Subject Rights and Transparency domain of Code of Conduct on Data Protection for Research (GDPR Article 40) — 1 controls
Code	Title	Description
RDCOC-RIG-01	Data Subject Rights and Information in Research	Provide transparency to participants and uphold data-subject rights, applying any Article 89(2) derogations only where r...

Art.40 Research Code: Governance, Monitoring and Enforcement (Art.41)

9 controls

Controls in the Art.40 Research Code: Governance, Monitoring and Enforcement (Art.41) domain of Code of Conduct on Data Protection for Research (GDPR Article 40) — 9 controls
Code	Title	Description
RDCOC-ADH-01	Adherence Procedures	Define how controllers/processors adhere to the code, the binding commitments they make, and the public register of adhe...
RDCOC-APP-01	Supervisory Authority / EDPB Approval	Submit the code to the competent supervisory authority (and EDPB for transnational codes) for approval, registration and...
RDCOC-AUD-01	Audits and Compliance Reviews	The monitoring body conducts periodic reviews/audits of adherents' compliance with the code.
RDCOC-COM-01	Complaint Handling	Provide mechanisms for handling complaints about infringements of the code by adherents.
RDCOC-GOV-01	Code Owner and Governance	Designate a code owner (association/body representing research controllers/processors) responsible for the code's develo...
RDCOC-MON-01	Accredited Monitoring Body	Designate an accredited monitoring body with the requisite expertise, independence and procedures to monitor compliance...
RDCOC-REV-01	Periodic Review and Update	Review and update the code to reflect legal, regulatory and sector developments, with SA/EDPB re-approval of amendments.
RDCOC-SAN-01	Sanctions and Suspension	The monitoring body can take action against adherents that infringe the code (suspension/exclusion) and inform the super...
RDCOC-TRN-01	Training and Awareness	Provide training and awareness to adherents' personnel on the code's commitments and research data-protection practices.

Art.40 Research Code: Research Safeguards (Art.89)

4 controls

Controls in the Art.40 Research Code: Research Safeguards (Art.89) domain of Code of Conduct on Data Protection for Research (GDPR Article 40) — 4 controls
Code	Title	Description
RDCOC-ANO-01	Anonymisation Criteria	Define when research data is anonymised (irreversibly non-identifiable) and therefore outside GDPR, with a robust re-ide...
RDCOC-DPI-01	Data Protection Impact Assessments	Conduct DPIAs for high-risk research processing and define when a DPIA is required for research projects.
RDCOC-PSE-01	Pseudonymisation Standards	Apply pseudonymisation as a default safeguard for research data where the purpose can be achieved without identifiers, w...
RDCOC-RET-01	Retention and Archival	Set storage-limitation and archival rules for research data, permitting longer retention for research subject to Article...

Art.40 Research Code: Scope and Lawful Basis

3 controls

Controls in the Art.40 Research Code: Scope and Lawful Basis domain of Code of Conduct on Data Protection for Research (GDPR Article 40) — 3 controls
Code	Title	Description
RDCOC-CON-01	Consent and Broad Consent	Where consent is used, meet GDPR consent conditions; broad consent to areas of research is permitted where consistent wi...
RDCOC-LAW-01	Lawful Basis for Research	Establish the lawful basis for research processing (e.g. public interest/legitimate interest or consent) and the Article...
RDCOC-SCO-01	Scope of Processing Activities	Define the categories of research processing the code covers (controllers/processors, data categories, research purposes...

Art.40 Research Code: Security and Breach

1 controls

Controls in the Art.40 Research Code: Security and Breach domain of Code of Conduct on Data Protection for Research (GDPR Article 40) — 1 controls
Code	Title	Description
RDCOC-BRE-01	Breach Notification Procedures	Maintain breach detection, notification to the supervisory authority and affected participants, and remediation for rese...

Art.40 Research Code: Transfers and Processors

2 controls

Controls in the Art.40 Research Code: Transfers and Processors domain of Code of Conduct on Data Protection for Research (GDPR Article 40) — 2 controls
Code	Title	Description
RDCOC-PRO-01	Processor Engagements	Govern processors handling research data via Article 28 contracts and oversight.
RDCOC-TRA-01	International Data Transfers	Define safeguards for transferring research data outside the EEA (adequacy, SCCs, or the code itself as a transfer tool...

Your Compliance Coverage

If you comply with Code of Conduct on Data Protection for Research (GDPR Article 40), you already cover:

GDPR

50%

10 controls mapped

Compare →

ISO 37001:2016

1 controls mapped

Compare →

ISO 13485:2016

1 controls mapped

Compare →

See all 3 mapped frameworks ↓

Maps to 3 other frameworks

20 total controls

GDPR

10 source controls mapped|9 target controls covered

50%

ISO 37001:2016

1 source controls mapped|1 target controls covered

ISO 13485:2016

1 source controls mapped|1 target controls covered

Compare Code of Conduct on Data Protection for Research (GDPR Article 40) with GDPR

Frequently Asked Questions

What is Code of Conduct on Data Protection for Research (GDPR Article 40)?

Code of Conduct on Data Protection for Research (GDPR Article 40) is a compliance framework from European Union with 6 domains and 20 controls. Represents the GDPR Article 40 code-of-conduct mechanism applied to the scientific-research sector. There is no single EDPB-approved transnational research code; the controls capture what such a code must contain under GDPR Articles 40 (codes of conduct), 41 (accredited monitoring bodies) and 89 (safeguards and derogations for scientific research), informed by EDPB guidance. Sectoral codes exist (e.g. clinical-research and biobanking codes). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Code of Conduct on Data Protection for Research (GDPR Article 40) have?

Code of Conduct on Data Protection for Research (GDPR Article 40) has 20 controls organised across 6 domains. The largest domains are Art.40 Research Code: Governance, Monitoring and Enforcement (Art.41) (9 controls), Art.40 Research Code: Research Safeguards (Art.89) (4 controls), Art.40 Research Code: Scope and Lawful Basis (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Code of Conduct on Data Protection for Research (GDPR Article 40) map to?

Code of Conduct on Data Protection for Research (GDPR Article 40) maps to 3 other compliance frameworks. The top mapping partners are GDPR (50% coverage), ISO 37001:2016 (5% coverage), ISO 13485:2016 (5% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Code of Conduct on Data Protection for Research (GDPR Article 40) compliance?

Start your Code of Conduct on Data Protection for Research (GDPR Article 40) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Code of Conduct on Data Protection for Research (GDPR Article 40) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 20 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required