Based on the investigation results, the management makes a statement (self-declaration) about the maturity level of the company and thus about compliance with the TTP Code of Conduct AVG. With this statement, the management makes itself accountable for compliance with the code of conduct. As a result, there may be grounds for management to have an additional investigation carried out by the internal audit department (IC).

The DPO confirms the self-declaration

The data protection officer (DPO) advises management on policy formulation, advises the operational organisation on taking appropriate technical and organisational control measures and monitors the effective operation of control measures taken. In addition, the DPO has a legal duty to monitor compliance with the GDPR. By confirming (or not) the self-declaration, the DPO is demonstrably performing this task.

The DPO performs risk analysis and creates a work plan. In this work plan, the DPO determines the frequency they check the completed control measures. The DPO can use these results during the accounting period for their report. At the end of the accountability period, they can use it to confirm the self-declaration. With the confirmation, the DPO indicates that the maturity level as stated in the self-declaration is endorsed.

In the accountability process, the confirmation by the DPO is of great value. That is why the DPO must meet various requirements to confirm the self-declaration. For example, the DPO must be suitable for the company, must have followed an adequate DPO training, which includes a module about his task in the accountability process, and must have completed the exam on his supervisory duty.

MYOBI reaffirms the self-declaration

MYOBI facilitates companies with organising the legal accountability obligation for data protection. The TTP Code of Conduct AVG is leading in this regard. Furthermore, MYOBI manages the assessment frameworks, provides training, organises (information) webinars, performs plausibility tests on self-declarations of the company management and reconfirms the self-declaration.

From self-declaration to Accountability Seal

After receiving the self-declaration, MYOBI converts the indicated maturity level into an Accountability Seal and includes it in the Accountability Seal Register. The register is published on the MYOBI website and can consult other users and other interested parties. Three seals are shown in the Accountability Seal Register for each company:

• The maturity level in the self-declaration.
• The maturity level that the DPO has confirmed.
• The maturity level determined by MYOBI, based on a plausibility test.

Suppose a company does not provide a self-declaration in time or does not meet the formal requirements (for example, the confirmation of an authorised DPO is missing). In that case, MYOBI sets the maturity level to ‘0’.