1. 在不損及第 57 條及 58 條所定主管監管機關之任務及權力之情況 下，得由機構進行第 40 條所定對行為守則遵守情況之監測，該機構 應具備行為守則所涉及事件之適當程度之專業知識，且經主管監管機 關認證。
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
2. 第 1項所定得經認證以監測行為守則被遵守情況之機構，應具備：
2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
(a) 證明其具備行為守則所涉及事件之獨立性及專業性至主管監管機 關滿意；
(a) demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
(b) 建立使其得以評估控管者及處理者適用該行為守則之資格之程 序，以監測其遵守情況，並定期審查其運作情形；
(b) established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) 建立處理申訴之程序及組織，以處理違反行為守則或控管者或處 理者執行之方式已違反或正違反行為守則之申訴，並向資料主體及公 眾公開該等程序及組織；及
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(d) demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
3. 主管監管機關應依照第 63 條所定一致性機制，向委員會提交本條 第 1 項所定機構之認證標準草案。
3. The competent supervisory authority shall submit the draft requirements for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
4. 在不損及主管監管機關之任務及權力且第 8 章規定之情況，本條 第 1 項所定機構應在適當保護措施下，對於控管者或處理者違反行為 守則事件採取適當行動，包括將控管者或處理者停權或於行為守則中 剃除。其對於控管者或處理者所為行為及其理由應通知主管監管機 關。
4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
5. 機構欠缺認證要件或不再具備認證要件或機構行為違反本規則規 定者，主管監管機關應撤銷第一項所定之認證。
5. The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.
Here is the relevant paragraph to article 41 GDPR:
5.2.1 Understanding the organization and its context
The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.