Difference between revisions of "Article 42 GDPR"

From GDPRhub
 
 
(9 intermediate revisions by 4 users not shown)
Line 2: Line 2:
 
![[Article 41 GDPR|←]] Article 42 - Certification [[Article 43 GDPR|→]]
 
![[Article 41 GDPR|←]] Article 42 - Certification [[Article 43 GDPR|→]]
 
|-
 
|-
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]
+
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]
 
|-
 
|-
 
|
 
|
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 17: Line 17:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 31: Line 31:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 50: Line 50:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 77: Line 77:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 91: Line 91:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 107: Line 107:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 131: Line 131:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 146: Line 146:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 160: Line 160:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 169: Line 169:
 
</div></div>
 
</div></div>
  
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
 
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div>
 
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
Line 184: Line 184:
 
|}
 
|}
  
== Legal Text ==
+
==Legal Text==
<br /><center>'''Article 42 - Certification'''</center><br />
+
<br /><center>'''Article 42 - Certification'''</center>
  
 
<span id="1">1.  The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.</span>
 
<span id="1">1.  The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.</span>
Line 203: Line 203:
 
<span id="8">8.  The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.</span>
 
<span id="8">8.  The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.</span>
  
== Relevant Recitals==
+
==Relevant Recitals==
''You can help us fill this section!''
+
{{Recital/100 GDPR}}
 +
{{Recital/119 GDPR}}
  
== Commentary ==
+
==Commentary==
 +
Article 42 GDPR offers a controller or processor the voluntary option to obtain a certification for their processing operations, in order to demonstrate compliance with the GDPR. Certification is thus viewed as an accountability framework, promoting both legal compliance and transparency. However, it is crucial to note that the mere demonstration of compliance within the certification process does not ''equal'' compliance per se: controllers and processors must still comply with the full scope of the GDPR, regardless of whether they have been certified or not. Similarly, certification does not reduce the responsibility which has been allocated to a controller or processor when it comes to their existing legal obligations under the GDPR. 
  
''You can help us fill this section!''
+
=== (1) Defining Certification Mechanisms, Data Protection Seals, and Marks ===
 +
Article 42(1) GDPR provides that Member States, Data Protection Authorities (DPAs), the European Data Protection Board EDPB) and the European Commission (Commission) shall encourage the “''establishment of data protection certification mechanisms''”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “''the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.''”<ref>See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref>
  
== Decisions ==
+
The EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation (EDPB Guidelines), adopt the definition found in the ISO Conformity assessment EN-ISO/IEC 17000:2004, and define certification to mean “''third party attestation related to processing operations by controllers and processors''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> However, the scope of this definition, and Article 42 GDPR in general, has been critiqued for being limited to the entity that engages in the processing operation.<ref>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).</ref> While this makes sense insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that the certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves.<ref>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).</ref>
 +
 
 +
There is also no definition of “''data protection seals and marks''” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the EDPB pursuant to [[Article 63 GDPR]]. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “''European Data Protection Seal''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref>
 +
=== (2) Demonstrating Safeguards Through Data Protection Certification Mechanisms, Seals or Marks ===
 +
Article 42(2) GDPR also provides that data protection certification mechanisms, seals, or marks approved pursuant to Article 42(5) GDPR can be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors not subject to the GDPR, in order to allow for personal data transfers to third countries under the terms referred to in Article 46(2)(f) GDPR. One substantial difference between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant is not. This entails that the certification body must ensure that an applicant not subject to the GDPR is nonetheless able to be monitored by it for compliance with its certification obligations. This follows from the wording of Article 42(2) GDPR, which specifies that such third-country controllers or processors should make binding and enforceable commitments to apply the safeguards upon which the certification was based on. In short, the certification body must be able to monitor and enforce these commitments. 
 +
 
 +
=== (3-4) Certification as a Voluntary Act that does not Reduce Compliance Obligations ===
 +
Article 42(3) GDPR specifies that the act of certification is voluntary, and that it must be an option that is available to controllers or processors via a process that is transparent. To aid with transparency, certification bodies which approve certification mechanisms, seals or marks, should provide easily accessible information about the certification process which is meaningful and intelligible. It is important to note that there is no obligation under the GDPR to become ‘''certified''’ as a controller or processor, although certification can help demonstrate compliance with the GDPR. However, as Article 42(4) GDPR expressly makes clear, the act of becoming certified does not reduce the responsibility of the controller or processor in complying with the GDPR, and is without prejudice to the task and powers of the competent DPAs pursuant to [[Article 55 GDPR|Articles 55 and 56 GDPR]]. 
 +
 
 +
=== (5-6) Certification can be Issued Through a Certification Body or by the Competent Supervisory Authority ===
 +
As expressed in Article 42(5) GDPR, the certification of a processing operation can be done either by the certification bodies referred to in [[Article 43 GDPR]], or by the competent DPA.sIn any case, both must follow the certification criteria which will have previously been approved by the DPA or the EDPB. The fact that a certification was carried out by the certification body or the DPA, does not change much for the controller or processor seeking certification. However, when issuing a certification, the certification body and DPA must take into account the following things. 
 +
 
 +
==== Certification Through a Certification Body ====
 +
A certification body must issue, review, renew and withdraw certifications (Articles 42(5) and 42(7) GDPR) on the basis of the certification criteria approved by the DPA or the EDPB. According to Article 42(7) GDPR, certification can be issued for a maximum period of three years. However, a certification body can also withdraw the certification, if the criteria for the certification are no longer being met. The certification body must provide DPAs with information regarding individual certifications, as this is necessary to monitor how the certification mechanism has been applied (Articles 42(7) GDPR, 43(5), and [[Article 58 GDPR|58(2)(h) GDPR]]).<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 11 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> 
 +
 
 +
==== Certification Through a Supervisory Authority ====
 +
According to the EDPB, where a DPA is to conduct certification pursuant to Article 42(5) GDPR, it will have to carefully assess its role regarding its assigned tasks under the GDPR. In particular, the separation of powers should be taken into account, to ensure that any conflicts of interest are avoided. The DPA must both ensure that a certification mechanism has been properly set up, and that it has either developed its own, or adopted a, certification criteria. Furthermore, certifications issued by the DPA are to be periodically reviewed (as required by [[Article 57 GDPR|Article 57(1)(o) GDPR]]). The DPA can also withdraw a certification if its requirements are no longer being met, as provided for in [[Article 58 GDPR|Article 58(2)(h) GDPR]]. 
 +
 
 +
==== Developing a Certification Criterion ====
 +
In order for processing operations to become certified, they need to be assessed with reference to certification criteria (Article 42(5) GDPR). These criteria must be approved either by the competent DPA, or the EDPB. The development of this certification criteria should focus on “''verifiability, significance, and suitability''” in order to demonstrate compliance with the GDPR. The EDPB also gives guidance on which aspects are to be taken into account when drafting certification criteria. These include: the lawfulness of processing pursuant to [[Article 6 GDPR]]; the principles of data processing pursuant to [[Article 5 GDPR]]; the data subjects’ rights pursuant to [[Article 12 GDPR|Articles 12-23 GDPR]]; the obligation to notify data breaches pursuant to [[Article 33 GDPR]]; the obligation of data protection by design and by default, pursuant to [[Article 25 GDPR]]; whether a data protection impact assessment, pursuant to [[Article 35 GDPR|Article 35(7)(d) GDPR]] has been conducted, if applicable; and the technical and organizational measures put in place pursuant to [[Article 32 GDPR]]. However, these aspects may be given varying weight and consideration, depending on what the scope of the certification is.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 15 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> 
 +
 
 +
==== Approving a Certification Criterion ====
 +
When a DPA is responsible for approving the certification criteria, it must do so prior to or during the accreditation process for a certification body. A DPA must not discriminate against any entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make its procedure for approval publicly available. Once the certification criteria has been approved by the DPA , a certification body can only issue certification within a Member State in accordance with this criteria. Alternatively, the certification criteria can also be approved by the EDPB (in which case it will generate a European Data Protection Seal). However, the creation and approval of a European Data Protection Seal may prove complicated, and will be subject to continuous change, since an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a set of criteriahas been identified as suitable for a common certification, and has also been approved by the EDPB, then certification bodies “''may be accredited to conduct certification under these criteria at Union level''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 12 and 14 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> 
 +
=== (7-8) What Processing Operations can be Certified Under the GDPR ===
 +
In identifying which processing operations can be certified, the EDPB suggests that three components are considered. These include: (i) The personal data involved; (ii) The technical systems used to process the personal data, and (iii) The processes and procedures related to the processing operations. Each processing operation is to be assessed against the set of certification criteria. It is also important to note that a use case must be provided in order to assess the compliance of the processing operation with the certification criteria. Once a processing operation has been certified, a certification can be issued to a controller or processor for a maximum of three years (Article 42(7) GDPR), and can be renewed if all of the criteria of the certification mechanism have been met. Article 42(8) GDPR requires that the EDPB collate all certification mechanisms and data protection seals and marks in a register, and make them publicly available by any appropriate means. The aim of this exercise is to promote transparency of the certification mechanism.
 +
==Decisions==
 
→ You can find all related decisions in [[:Category:Article 42 GDPR]]
 
→ You can find all related decisions in [[:Category:Article 42 GDPR]]
  
== References ==
+
==References==
 
<references />
 
<references />
  
[[Category:GDPR]]
+
[[Category:GDPR Articles]]

Latest revision as of 07:02, 12 September 2022

Article 42 - Certification
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]


Article 42 - Certification

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

3. The certification shall be voluntary and available via a process that is transparent.

4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.

5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

Relevant Recitals[edit | edit source]

Recital 100: Establishment of Certification Mechanisms and Data Protection Seals and Marks
In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

Recital 119: Participation in Consistency Mechanism in Case of Multiple Supervisory Authorities
Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism. That Member State should in particular designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the mechanism, to ensure swift and smooth cooperation with other supervisory authorities, the Board and the Commission.

Commentary[edit | edit source]

Article 42 GDPR offers a controller or processor the voluntary option to obtain a certification for their processing operations, in order to demonstrate compliance with the GDPR. Certification is thus viewed as an accountability framework, promoting both legal compliance and transparency. However, it is crucial to note that the mere demonstration of compliance within the certification process does not equal compliance per se: controllers and processors must still comply with the full scope of the GDPR, regardless of whether they have been certified or not. Similarly, certification does not reduce the responsibility which has been allocated to a controller or processor when it comes to their existing legal obligations under the GDPR.

(1) Defining Certification Mechanisms, Data Protection Seals, and Marks[edit | edit source]

Article 42(1) GDPR provides that Member States, Data Protection Authorities (DPAs), the European Data Protection Board EDPB) and the European Commission (Commission) shall encourage the “establishment of data protection certification mechanisms”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.[1]

The EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation (EDPB Guidelines), adopt the definition found in the ISO Conformity assessment EN-ISO/IEC 17000:2004, and define certification to mean “third party attestation related to processing operations by controllers and processors”.[2] However, the scope of this definition, and Article 42 GDPR in general, has been critiqued for being limited to the entity that engages in the processing operation.[3] While this makes sense insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that the certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves.[4]

There is also no definition of “data protection seals and marks” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to Article 58(3) GDPR, or by the EDPB pursuant to Article 63 GDPR. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “European Data Protection Seal”.[5]

(2) Demonstrating Safeguards Through Data Protection Certification Mechanisms, Seals or Marks[edit | edit source]

Article 42(2) GDPR also provides that data protection certification mechanisms, seals, or marks approved pursuant to Article 42(5) GDPR can be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors not subject to the GDPR, in order to allow for personal data transfers to third countries under the terms referred to in Article 46(2)(f) GDPR. One substantial difference between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant is not. This entails that the certification body must ensure that an applicant not subject to the GDPR is nonetheless able to be monitored by it for compliance with its certification obligations. This follows from the wording of Article 42(2) GDPR, which specifies that such third-country controllers or processors should make binding and enforceable commitments to apply the safeguards upon which the certification was based on. In short, the certification body must be able to monitor and enforce these commitments.

(3-4) Certification as a Voluntary Act that does not Reduce Compliance Obligations[edit | edit source]

Article 42(3) GDPR specifies that the act of certification is voluntary, and that it must be an option that is available to controllers or processors via a process that is transparent. To aid with transparency, certification bodies which approve certification mechanisms, seals or marks, should provide easily accessible information about the certification process which is meaningful and intelligible. It is important to note that there is no obligation under the GDPR to become ‘certified’ as a controller or processor, although certification can help demonstrate compliance with the GDPR. However, as Article 42(4) GDPR expressly makes clear, the act of becoming certified does not reduce the responsibility of the controller or processor in complying with the GDPR, and is without prejudice to the task and powers of the competent DPAs pursuant to Articles 55 and 56 GDPR.

(5-6) Certification can be Issued Through a Certification Body or by the Competent Supervisory Authority[edit | edit source]

As expressed in Article 42(5) GDPR, the certification of a processing operation can be done either by the certification bodies referred to in Article 43 GDPR, or by the competent DPA.sIn any case, both must follow the certification criteria which will have previously been approved by the DPA or the EDPB. The fact that a certification was carried out by the certification body or the DPA, does not change much for the controller or processor seeking certification. However, when issuing a certification, the certification body and DPA must take into account the following things.

Certification Through a Certification Body[edit | edit source]

A certification body must issue, review, renew and withdraw certifications (Articles 42(5) and 42(7) GDPR) on the basis of the certification criteria approved by the DPA or the EDPB. According to Article 42(7) GDPR, certification can be issued for a maximum period of three years. However, a certification body can also withdraw the certification, if the criteria for the certification are no longer being met. The certification body must provide DPAs with information regarding individual certifications, as this is necessary to monitor how the certification mechanism has been applied (Articles 42(7) GDPR, 43(5), and 58(2)(h) GDPR).[6]

Certification Through a Supervisory Authority[edit | edit source]

According to the EDPB, where a DPA is to conduct certification pursuant to Article 42(5) GDPR, it will have to carefully assess its role regarding its assigned tasks under the GDPR. In particular, the separation of powers should be taken into account, to ensure that any conflicts of interest are avoided. The DPA must both ensure that a certification mechanism has been properly set up, and that it has either developed its own, or adopted a, certification criteria. Furthermore, certifications issued by the DPA are to be periodically reviewed (as required by Article 57(1)(o) GDPR). The DPA can also withdraw a certification if its requirements are no longer being met, as provided for in Article 58(2)(h) GDPR.

Developing a Certification Criterion[edit | edit source]

In order for processing operations to become certified, they need to be assessed with reference to certification criteria (Article 42(5) GDPR). These criteria must be approved either by the competent DPA, or the EDPB. The development of this certification criteria should focus on “verifiability, significance, and suitability” in order to demonstrate compliance with the GDPR. The EDPB also gives guidance on which aspects are to be taken into account when drafting certification criteria. These include: the lawfulness of processing pursuant to Article 6 GDPR; the principles of data processing pursuant to Article 5 GDPR; the data subjects’ rights pursuant to Articles 12-23 GDPR; the obligation to notify data breaches pursuant to Article 33 GDPR; the obligation of data protection by design and by default, pursuant to Article 25 GDPR; whether a data protection impact assessment, pursuant to Article 35(7)(d) GDPR has been conducted, if applicable; and the technical and organizational measures put in place pursuant to Article 32 GDPR. However, these aspects may be given varying weight and consideration, depending on what the scope of the certification is.[7]

Approving a Certification Criterion[edit | edit source]

When a DPA is responsible for approving the certification criteria, it must do so prior to or during the accreditation process for a certification body. A DPA must not discriminate against any entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make its procedure for approval publicly available. Once the certification criteria has been approved by the DPA , a certification body can only issue certification within a Member State in accordance with this criteria. Alternatively, the certification criteria can also be approved by the EDPB (in which case it will generate a European Data Protection Seal). However, the creation and approval of a European Data Protection Seal may prove complicated, and will be subject to continuous change, since an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a set of criteriahas been identified as suitable for a common certification, and has also been approved by the EDPB, then certification bodies “may be accredited to conduct certification under these criteria at Union level”.[8]

(7-8) What Processing Operations can be Certified Under the GDPR[edit | edit source]

In identifying which processing operations can be certified, the EDPB suggests that three components are considered. These include: (i) The personal data involved; (ii) The technical systems used to process the personal data, and (iii) The processes and procedures related to the processing operations. Each processing operation is to be assessed against the set of certification criteria. It is also important to note that a use case must be provided in order to assess the compliance of the processing operation with the certification criteria. Once a processing operation has been certified, a certification can be issued to a controller or processor for a maximum of three years (Article 42(7) GDPR), and can be renewed if all of the criteria of the certification mechanism have been met. Article 42(8) GDPR requires that the EDPB collate all certification mechanisms and data protection seals and marks in a register, and make them publicly available by any appropriate means. The aim of this exercise is to promote transparency of the certification mechanism.

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 42 GDPR

References[edit | edit source]

  1. See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available here).
  2. EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available here).
  3. Bergt, Pesch, in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).
  4. Bergt, Pesch, in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).
  5. EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available here).
  6. EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 11 (available here).
  7. EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 15 (available here).
  8. EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 12 and 14 (available here).