Introduced by GDPR, codes of conduct are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Codes of conduct must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.
See Article 40 GDPR.