https://gdprhub.eu/index.php?title=Article_42_GDPR&feed=atom&action=historyArticle 42 GDPR - Revision history2024-03-29T00:21:59ZRevision history for this page on the wikiMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Article_42_GDPR&diff=34311&oldid=prevMg: /* (3-4) Certification as a Voluntary Act that does not Reduce Compliance Obligations */2023-07-28T14:26:11Z<p><span dir="auto"><span class="autocomment">(3-4) Certification as a Voluntary Act that does not Reduce Compliance Obligations</span></span></p>
<a href="https://gdprhub.eu/index.php?title=Article_42_GDPR&diff=34311&oldid=34310">Show changes</a>Mghttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=34310&oldid=prevMg: /* (1) Defining Certification Mechanisms, Data Protection Seals, and Marks */2023-07-28T14:15:42Z<p><span dir="auto"><span class="autocomment">(1) Defining Certification Mechanisms, Data Protection Seals, and Marks</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:15, 28 July 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l210">Line 210:</td>
<td colspan="2" class="diff-lineno">Line 210:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42 GDPR offers a controller or processor the voluntary option to obtain a certification for their processing operations, in order to demonstrate compliance with the GDPR. Certification is thus viewed as an accountability framework, promoting both legal compliance and transparency. However, it is crucial to note that the mere demonstration of compliance within the certification process does not ''equal'' compliance per se: controllers and processors must still comply with the full scope of the GDPR, regardless of whether they have been certified or not. Similarly, certification does not reduce the responsibility which has been allocated to a controller or processor when it comes to their existing legal obligations under the GDPR. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42 GDPR offers a controller or processor the voluntary option to obtain a certification for their processing operations, in order to demonstrate compliance with the GDPR. Certification is thus viewed as an accountability framework, promoting both legal compliance and transparency. However, it is crucial to note that the mere demonstration of compliance within the certification process does not ''equal'' compliance per se: controllers and processors must still comply with the full scope of the GDPR, regardless of whether they have been certified or not. Similarly, certification does not reduce the responsibility which has been allocated to a controller or processor when it comes to their existing legal obligations under the GDPR. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>=== (1) Defining <del style="font-weight: bold; text-decoration: none;">Certification Mechanisms</del>, <del style="font-weight: bold; text-decoration: none;">Data Protection Seals</del>, and <del style="font-weight: bold; text-decoration: none;">Marks </del>===</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>=== (1) Defining <ins style="font-weight: bold; text-decoration: none;">certification mechanisms</ins>, <ins style="font-weight: bold; text-decoration: none;">data protection seals</ins>, and <ins style="font-weight: bold; text-decoration: none;">marks </ins>===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, Data Protection Authorities (DPAs), the European Data Protection Board (EDPB) and the European Commission (Commission) shall encourage the “''establishment of data protection certification mechanisms''”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “''the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.''”<ref>See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, Data Protection Authorities (DPAs), the European Data Protection Board (EDPB) and the European Commission (Commission) shall encourage the “''establishment of data protection certification mechanisms''”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “''the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.''”<ref>See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l216">Line 216:</td>
<td colspan="2" class="diff-lineno">Line 216:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “''data protection seals and marks''” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the EDPB pursuant to [[Article 63 GDPR]]. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “''European Data Protection Seal''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “''data protection seals and marks''” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the EDPB pursuant to [[Article 63 GDPR]]. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “''European Data Protection Seal''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>=== (2) Demonstrating <del style="font-weight: bold; text-decoration: none;">Safeguards Through Data Protection Certification Mechanisms</del>, <del style="font-weight: bold; text-decoration: none;">Seals </del>or <del style="font-weight: bold; text-decoration: none;">Marks </del>===</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>=== (2) Demonstrating <ins style="font-weight: bold; text-decoration: none;">safeguards through data protection certification mechanisms</ins>, <ins style="font-weight: bold; text-decoration: none;">seals </ins>or <ins style="font-weight: bold; text-decoration: none;">marks </ins>===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(2) GDPR also provides that data protection certification mechanisms, seals, or marks approved pursuant to Article 42(5) GDPR can be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors not subject to the GDPR, in order to allow for personal data transfers to third countries under the terms referred to in Article 46(2)(f) GDPR. One substantial difference between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant is not. This entails that the certification body must ensure that an applicant not subject to the GDPR is nonetheless able to be monitored by it for compliance with its certification obligations. This follows from the wording of Article 42(2) GDPR, which specifies that such third-country controllers or processors should make binding and enforceable commitments to apply the safeguards upon which the certification was based on. In short, the certification body must be able to monitor and enforce these commitments. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(2) GDPR also provides that data protection certification mechanisms, seals, or marks approved pursuant to Article 42(5) GDPR can be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors not subject to the GDPR, in order to allow for personal data transfers to third countries under the terms referred to in Article 46(2)(f) GDPR. One substantial difference between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant is not. This entails that the certification body must ensure that an applicant not subject to the GDPR is nonetheless able to be monitored by it for compliance with its certification obligations. This follows from the wording of Article 42(2) GDPR, which specifies that such third-country controllers or processors should make binding and enforceable commitments to apply the safeguards upon which the certification was based on. In short, the certification body must be able to monitor and enforce these commitments. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=34309&oldid=prevMg: /* (1) Defining Certification Mechanisms, Data Protection Seals, and Marks */2023-07-28T14:13:00Z<p><span dir="auto"><span class="autocomment">(1) Defining Certification Mechanisms, Data Protection Seals, and Marks</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:13, 28 July 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l211">Line 211:</td>
<td colspan="2" class="diff-lineno">Line 211:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (1) Defining Certification Mechanisms, Data Protection Seals, and Marks ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (1) Defining Certification Mechanisms, Data Protection Seals, and Marks ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, Data Protection Authorities (DPAs), the European Data Protection Board EDPB) and the European Commission (Commission) shall encourage the “''establishment of data protection certification mechanisms''”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “''the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.''”<ref>See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, Data Protection Authorities (DPAs), the European Data Protection Board <ins style="font-weight: bold; text-decoration: none;">(</ins>EDPB) and the European Commission (Commission) shall encourage the “''establishment of data protection certification mechanisms''”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “''the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.''”<ref>See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation (EDPB Guidelines), adopt the definition found in the ISO Conformity assessment EN-ISO/IEC 17000:2004, and define certification to mean “''third party attestation related to processing operations by controllers and processors''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/<del style="font-weight: bold; text-decoration: none;">sites</del>/<del style="font-weight: bold; text-decoration: none;">default</del>/<del style="font-weight: bold; text-decoration: none;">files</del>/<del style="font-weight: bold; text-decoration: none;">files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf </del>here]).</ref> However, the scope of this definition, and Article 42 GDPR in general, has been <del style="font-weight: bold; text-decoration: none;">critiqued </del>for being limited to the entity that engages in the processing operation.<ref>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).</ref> While this makes sense insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that the certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves.<ref>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).</ref> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation (EDPB Guidelines), adopt the definition found in the ISO Conformity assessment EN-ISO/IEC 17000:2004, and define certification to mean “''third party attestation related to processing operations by controllers and processors''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/<ins style="font-weight: bold; text-decoration: none;">our-work-tools</ins>/<ins style="font-weight: bold; text-decoration: none;">our-documents</ins>/<ins style="font-weight: bold; text-decoration: none;">guidelines</ins>/<ins style="font-weight: bold; text-decoration: none;">guidelines-12018-certification-and-identifying_en </ins>here]).</ref> However, the scope of this definition, and Article 42 GDPR in general, has been <ins style="font-weight: bold; text-decoration: none;">criticised </ins>for being limited to the entity that engages in the processing operation.<ref>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).</ref> While this makes sense insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that the certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves.<ref>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “''data protection seals and marks''” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the EDPB pursuant to [[Article 63 GDPR]]. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “''European Data Protection Seal''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “''data protection seals and marks''” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the EDPB pursuant to [[Article 63 GDPR]]. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “''European Data Protection Seal''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td></tr>
</table>Mghttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=31485&oldid=prevKv: added EDPB Guidelines2023-03-02T08:35:28Z<p>added EDPB Guidelines</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:35, 2 March 2023</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l237">Line 237:</td>
<td colspan="2" class="diff-lineno">Line 237:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>When a DPA is responsible for approving the certification criteria, it must do so prior to or during the accreditation process for a certification body. A DPA must not discriminate against any entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make its procedure for approval publicly available. Once the certification criteria has been approved by the DPA , a certification body can only issue certification within a Member State in accordance with this criteria. Alternatively, the certification criteria can also be approved by the EDPB (in which case it will generate a European Data Protection Seal). However, the creation and approval of a European Data Protection Seal may prove complicated, and will be subject to continuous change, since an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a set of criteriahas been identified as suitable for a common certification, and has also been approved by the EDPB, then certification bodies “''may be accredited to conduct certification under these criteria at Union level''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 12 and 14 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>When a DPA is responsible for approving the certification criteria, it must do so prior to or during the accreditation process for a certification body. A DPA must not discriminate against any entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make its procedure for approval publicly available. Once the certification criteria has been approved by the DPA , a certification body can only issue certification within a Member State in accordance with this criteria. Alternatively, the certification criteria can also be approved by the EDPB (in which case it will generate a European Data Protection Seal). However, the creation and approval of a European Data Protection Seal may prove complicated, and will be subject to continuous change, since an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a set of criteriahas been identified as suitable for a common certification, and has also been approved by the EDPB, then certification bodies “''may be accredited to conduct certification under these criteria at Union level''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 12 and 14 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (7-8) What Processing Operations can be Certified Under the GDPR ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (7-8) What Processing Operations can be Certified Under the GDPR ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In identifying which processing operations can be certified, the EDPB suggests that three components are considered. These include: (i) The personal data involved; (ii) The technical systems used to process the personal data, and (iii) The processes and procedures related to the processing operations. Each processing operation is to be assessed against the set of certification criteria. It is also important to note that a use case must be provided in order to assess the compliance of the processing operation with the certification criteria. Once a processing operation has been certified, a certification can be issued to a controller or processor for a maximum of three years (Article 42(7) GDPR), and can be renewed if all of the criteria of the certification mechanism have been met. Article 42(8) GDPR requires that the EDPB collate all certification mechanisms and data protection seals and marks in a register, and make them publicly available by any appropriate means. The aim of this exercise is to promote transparency of the certification mechanism.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In identifying which processing operations can be certified, the EDPB suggests that three components are considered. These include: (i) The personal data involved; (ii) The technical systems used to process the personal data, and (iii) The processes and procedures related to the processing operations. Each processing operation is to be assessed against the set of certification criteria. It is also important to note that a use case must be provided in order to assess the compliance of the processing operation with the certification criteria. Once a processing operation has been certified, a certification can be issued to a controller or processor for a maximum of three years (Article 42(7) GDPR), and can be renewed if all of the criteria of the certification mechanism have been met. Article 42(8) GDPR requires that the EDPB collate all certification mechanisms and data protection seals and marks in a register, and make them publicly available by any appropriate means. The aim of this exercise is to promote transparency of the certification mechanism.<ins style="font-weight: bold; text-decoration: none;"><blockquote><u>EDPB Guidelines:</u> on this article there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12018-certification-and-identifying_en EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation - version adopted after public consultation]</blockquote></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Decisions==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Decisions==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>→ You can find all related decisions in [[:Category:Article 42 GDPR]]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>→ You can find all related decisions in [[:Category:Article 42 GDPR]]</div></td></tr>
</table>Kvhttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=28033&oldid=prevJolly: /* Relevant Recitals */2022-09-12T07:02:38Z<p><span dir="auto"><span class="autocomment">Relevant Recitals</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:02, 12 September 2022</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l204">Line 204:</td>
<td colspan="2" class="diff-lineno">Line 204:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Relevant Recitals==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Relevant Recitals==</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{Recital/100 GDPR}}</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{{Recital/119 GDPR}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{{Recital/119 GDPR}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
</table>Jollyhttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=25618&oldid=prevSR: /* (1) Defining Certification Mechanisms, Data Protection Seals, and Marks */2022-04-28T14:26:14Z<p><span dir="auto"><span class="autocomment">(1) Defining Certification Mechanisms, Data Protection Seals, and Marks</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:26, 28 April 2022</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l210">Line 210:</td>
<td colspan="2" class="diff-lineno">Line 210:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (1) Defining Certification Mechanisms, Data Protection Seals, and Marks ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (1) Defining Certification Mechanisms, Data Protection Seals, and Marks ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, Data Protection Authorities(DPAs), the European Data Protection Board EDPB) and the European Commission (Commission) shall encourage the “''establishment of data protection certification mechanisms''”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “''the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.''”<del style="font-weight: bold; text-decoration: none;">[</del>See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available <del style="font-weight: bold; text-decoration: none;">here)</del>.<del style="font-weight: bold; text-decoration: none;">] The EDPB Guidelines 1</del>/<del style="font-weight: bold; text-decoration: none;">2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation (EDPB Guidelines), adopt the definition found in the ISO Conformity assessment EN-ISO</del>/<del style="font-weight: bold; text-decoration: none;">IEC 17000:2004, and define certification to mean “''third party attestation related to processing operations by controllers and processors''”.[EDPB, ‘Guidelines 1</del>/<del style="font-weight: bold; text-decoration: none;">2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3</del>.<del style="font-weight: bold; text-decoration: none;">0), p</del>. <del style="font-weight: bold; text-decoration: none;">8 (available </del>here).<del style="font-weight: bold; text-decoration: none;">] </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, Data Protection Authorities (DPAs), the European Data Protection Board EDPB) and the European Commission (Commission) shall encourage the “''establishment of data protection certification mechanisms''”. However, there is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), which defines certification as “''the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.''”<ins style="font-weight: bold; text-decoration: none;"><ref></ins>See the website of the ISO under “Certification” (accessed on 17 March 2022); also see EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available <ins style="font-weight: bold; text-decoration: none;">[https://edpb.europa</ins>.<ins style="font-weight: bold; text-decoration: none;">eu/sites/default/files</ins>/<ins style="font-weight: bold; text-decoration: none;">files</ins>/<ins style="font-weight: bold; text-decoration: none;">file1</ins>/<ins style="font-weight: bold; text-decoration: none;">edpb_guidelines_201801_v3</ins>.<ins style="font-weight: bold; text-decoration: none;">0_certificationcriteria_annex2_en</ins>.<ins style="font-weight: bold; text-decoration: none;">pdf </ins>here<ins style="font-weight: bold; text-decoration: none;">]</ins>).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>However, the scope of this definition, and Article 42 GDPR in general, has been critiqued for being limited to the entity that engages in the processing operation.<del style="font-weight: bold; text-decoration: none;">[</del>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).<del style="font-weight: bold; text-decoration: none;">] </del>While this makes sense insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that the certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves.<del style="font-weight: bold; text-decoration: none;">[</del>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).<del style="font-weight: bold; text-decoration: none;">] </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation (EDPB Guidelines), adopt the definition found in the ISO Conformity assessment EN-ISO/IEC 17000:2004, and define certification to mean “''third party attestation related to processing operations by controllers and processors''”.<ref>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref> </ins>However, the scope of this definition, and Article 42 GDPR in general, has been critiqued for being limited to the entity that engages in the processing operation.<ins style="font-weight: bold; text-decoration: none;"><ref></ins>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins>While this makes sense insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that the certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves.<ins style="font-weight: bold; text-decoration: none;"><ref></ins>''Bergt, Pesch'', in Kühling, Buchner, DS-GVO BDSG, Article 42 GDPR, margin number 3a (C.H. Beck 2020, 3rd Edition).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “''data protection seals and marks''” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the EDPB pursuant to [[Article 63 GDPR]]. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “''European Data Protection Seal''”.<del style="font-weight: bold; text-decoration: none;">[</del>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).<del style="font-weight: bold; text-decoration: none;">] </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “''data protection seals and marks''” to be found in the GDPR. Here, general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a DPA or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the EDPB pursuant to [[Article 63 GDPR]]. Where such an approval takes place through the EDPB, this may give rise to a common certification known as the “''European Data Protection Seal''”.<ins style="font-weight: bold; text-decoration: none;"><ref></ins>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (2) Demonstrating Safeguards Through Data Protection Certification Mechanisms, Seals or Marks ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (2) Demonstrating Safeguards Through Data Protection Certification Mechanisms, Seals or Marks ===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(2) GDPR also provides that data protection certification mechanisms, seals, or marks approved pursuant to Article 42(5) GDPR can be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors not subject to the GDPR, in order to allow for personal data transfers to third countries under the terms referred to in Article 46(2)(f) GDPR. One substantial difference between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant is not. This entails that the certification body must ensure that an applicant not subject to the GDPR is nonetheless able to be monitored by it for compliance with its certification obligations. This follows from the wording of Article 42(2) GDPR, which specifies that such third-country controllers or processors should make binding and enforceable commitments to apply the safeguards upon which the certification was based on. In short, the certification body must be able to monitor and enforce these commitments. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(2) GDPR also provides that data protection certification mechanisms, seals, or marks approved pursuant to Article 42(5) GDPR can be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors not subject to the GDPR, in order to allow for personal data transfers to third countries under the terms referred to in Article 46(2)(f) GDPR. One substantial difference between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant is not. This entails that the certification body must ensure that an applicant not subject to the GDPR is nonetheless able to be monitored by it for compliance with its certification obligations. This follows from the wording of Article 42(2) GDPR, which specifies that such third-country controllers or processors should make binding and enforceable commitments to apply the safeguards upon which the certification was based on. In short, the certification body must be able to monitor and enforce these commitments. </div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l225">Line 225:</td>
<td colspan="2" class="diff-lineno">Line 225:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Certification Through a Certification Body ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Certification Through a Certification Body ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>A certification body must issue, review, renew and withdraw certifications (Articles 42(5) and 42(7) GDPR) on the basis of the certification criteria approved by the DPA or the EDPB. According to Article 42(7) GDPR, certification can be issued for a maximum period of three years. However, a certification body can also withdraw the certification, if the criteria for the certification are no longer being met. The certification body must provide DPAs with information regarding individual certifications, as this is necessary to monitor how the certification mechanism has been applied (Articles 42(7) GDPR, 43(5), and [[Article 58 GDPR|58(2)(h) GDPR]]).<del style="font-weight: bold; text-decoration: none;">[</del>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 11 (available here).<del style="font-weight: bold; text-decoration: none;">] </del> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>A certification body must issue, review, renew and withdraw certifications (Articles 42(5) and 42(7) GDPR) on the basis of the certification criteria approved by the DPA or the EDPB. According to Article 42(7) GDPR, certification can be issued for a maximum period of three years. However, a certification body can also withdraw the certification, if the criteria for the certification are no longer being met. The certification body must provide DPAs with information regarding individual certifications, as this is necessary to monitor how the certification mechanism has been applied (Articles 42(7) GDPR, 43(5), and [[Article 58 GDPR|58(2)(h) GDPR]]).<ins style="font-weight: bold; text-decoration: none;"><ref></ins>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 11 (available <ins style="font-weight: bold; text-decoration: none;">[https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf </ins>here<ins style="font-weight: bold; text-decoration: none;">]</ins>).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Certification Through a Supervisory Authority ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Certification Through a Supervisory Authority ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>According to the EDPB, where a DPA is to conduct certification pursuant to Article 42(5) GDPR, it will have to carefully assess its role regarding its assigned tasks under the GDPR. In particular, the separation of powers should be taken into account, to ensure that any conflicts of interest are avoided.<del style="font-weight: bold; text-decoration: none;">[EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 10 (available here).] </del>The DPA must both ensure that a certification mechanism has been properly set up, and that it has either developed its own, or adopted a, certification criteria. Furthermore, certifications issued by the DPA are to be periodically reviewed (as required by [[Article 57 GDPR|Article 57(1)(o) GDPR]]). The DPA can also withdraw a certification if its requirements are no longer being met, as provided for in [[Article 58 GDPR|Article 58(2)(h) GDPR]]. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>According to the EDPB, where a DPA is to conduct certification pursuant to Article 42(5) GDPR, it will have to carefully assess its role regarding its assigned tasks under the GDPR. In particular, the separation of powers should be taken into account, to ensure that any conflicts of interest are avoided. The DPA must both ensure that a certification mechanism has been properly set up, and that it has either developed its own, or adopted a, certification criteria. Furthermore, certifications issued by the DPA are to be periodically reviewed (as required by [[Article 57 GDPR|Article 57(1)(o) GDPR]]). The DPA can also withdraw a certification if its requirements are no longer being met, as provided for in [[Article 58 GDPR|Article 58(2)(h) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Developing a Certification Criterion ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Developing a Certification Criterion ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In order for processing operations to become certified, they need to be assessed with reference to certification criteria (Article 42(5) GDPR). These criteria must be approved either by the competent DPA, or the EDPB. The development of this certification criteria should focus on “''verifiability, significance, and suitability''” in order to demonstrate compliance with the GDPR. The EDPB also gives guidance on which aspects are to be taken into account when drafting certification criteria. These include: the lawfulness of processing pursuant to [[Article 6 GDPR]]; the principles of data processing pursuant to [[Article 5 GDPR]]; the data subjects’ rights pursuant to [[Article 12 GDPR|Articles 12-23 GDPR]]; the obligation to notify data breaches pursuant to [[Article 33 GDPR]]; the obligation of data protection by design and by default, pursuant to [[Article 25 GDPR]]; whether a data protection impact assessment, pursuant to [[Article 35 GDPR|Article 35(7)(d) GDPR]] has been conducted, if applicable; and the technical and organizational measures put in place pursuant to [[Article 32 GDPR]]. However, these aspects may be given varying weight and consideration, depending on what the scope of the certification is.<del style="font-weight: bold; text-decoration: none;">[</del>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 15 (available here).<del style="font-weight: bold; text-decoration: none;">] </del> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In order for processing operations to become certified, they need to be assessed with reference to certification criteria (Article 42(5) GDPR). These criteria must be approved either by the competent DPA, or the EDPB. The development of this certification criteria should focus on “''verifiability, significance, and suitability''” in order to demonstrate compliance with the GDPR. The EDPB also gives guidance on which aspects are to be taken into account when drafting certification criteria. These include: the lawfulness of processing pursuant to [[Article 6 GDPR]]; the principles of data processing pursuant to [[Article 5 GDPR]]; the data subjects’ rights pursuant to [[Article 12 GDPR|Articles 12-23 GDPR]]; the obligation to notify data breaches pursuant to [[Article 33 GDPR]]; the obligation of data protection by design and by default, pursuant to [[Article 25 GDPR]]; whether a data protection impact assessment, pursuant to [[Article 35 GDPR|Article 35(7)(d) GDPR]] has been conducted, if applicable; and the technical and organizational measures put in place pursuant to [[Article 32 GDPR]]. However, these aspects may be given varying weight and consideration, depending on what the scope of the certification is.<ins style="font-weight: bold; text-decoration: none;"><ref></ins>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 15 (available <ins style="font-weight: bold; text-decoration: none;">[https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf </ins>here<ins style="font-weight: bold; text-decoration: none;">]</ins>).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Approving a Certification Criterion ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Approving a Certification Criterion ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>When a DPA is responsible for approving the certification criteria, it must do so prior to or during the accreditation process for a certification body. A DPA must not discriminate against any entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make its procedure for approval publicly available. Once the certification criteria has been approved by the DPA , a certification body can only issue certification within a Member State in accordance with this criteria. Alternatively, the certification criteria can also be approved by the EDPB (in which case it will generate a European Data Protection Seal). However, the creation and approval of a European Data Protection Seal may prove complicated, and will be subject to continuous change, since an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a set of criteriahas been identified as suitable for a common certification, and has also been approved by the EDPB, then certification bodies “''may be accredited to conduct certification under these criteria at Union level''”.<del style="font-weight: bold; text-decoration: none;">[</del>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 12 and 14 (available here).<del style="font-weight: bold; text-decoration: none;">] </del> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>When a DPA is responsible for approving the certification criteria, it must do so prior to or during the accreditation process for a certification body. A DPA must not discriminate against any entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make its procedure for approval publicly available. Once the certification criteria has been approved by the DPA , a certification body can only issue certification within a Member State in accordance with this criteria. Alternatively, the certification criteria can also be approved by the EDPB (in which case it will generate a European Data Protection Seal). However, the creation and approval of a European Data Protection Seal may prove complicated, and will be subject to continuous change, since an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a set of criteriahas been identified as suitable for a common certification, and has also been approved by the EDPB, then certification bodies “''may be accredited to conduct certification under these criteria at Union level''”.<ins style="font-weight: bold; text-decoration: none;"><ref></ins>EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), p. 12 and 14 (available <ins style="font-weight: bold; text-decoration: none;">[https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf </ins>here<ins style="font-weight: bold; text-decoration: none;">]</ins>).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (7-8) What Processing Operations can be Certified Under the GDPR ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== (7-8) What Processing Operations can be Certified Under the GDPR ===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In identifying which processing operations can be certified, the EDPB suggests that three components are considered. These include: (i) The personal data involved; (ii) The technical systems used to process the personal data, and (iii) The processes and procedures related to the processing operations. Each processing operation is to be assessed against the set of certification criteria. It is also important to note that a use case must be provided in order to assess the compliance of the processing operation with the certification criteria. Once a processing operation has been certified, a certification can be issued to a controller or processor for a maximum of three years (Article 42(7) GDPR), and can be renewed if all of the criteria of the certification mechanism have been met. Article 42(8) GDPR requires that the EDPB collate all certification mechanisms and data protection seals and marks in a register, and make them publicly available by any appropriate means. The aim of this exercise is to promote transparency of the certification mechanism.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In identifying which processing operations can be certified, the EDPB suggests that three components are considered. These include: (i) The personal data involved; (ii) The technical systems used to process the personal data, and (iii) The processes and procedures related to the processing operations. Each processing operation is to be assessed against the set of certification criteria. It is also important to note that a use case must be provided in order to assess the compliance of the processing operation with the certification criteria. Once a processing operation has been certified, a certification can be issued to a controller or processor for a maximum of three years (Article 42(7) GDPR), and can be renewed if all of the criteria of the certification mechanism have been met. Article 42(8) GDPR requires that the EDPB collate all certification mechanisms and data protection seals and marks in a register, and make them publicly available by any appropriate means. The aim of this exercise is to promote transparency of the certification mechanism.</div></td></tr>
</table>SRhttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=25617&oldid=prevSR: /* Commentary */2022-04-28T14:22:34Z<p><span dir="auto"><span class="autocomment">Commentary</span></span></p>
<a href="https://gdprhub.eu/index.php?title=Article_42_GDPR&diff=25617&oldid=24252">Show changes</a>SRhttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=24252&oldid=prevGb: style consistency2022-03-08T10:24:50Z<p>style consistency</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:24, 8 March 2022</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l185">Line 185:</td>
<td colspan="2" class="diff-lineno">Line 185:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Legal Text==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Legal Text==</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><br /><center>'''Article 42 - Certification'''</center<del style="font-weight: bold; text-decoration: none;">><br /</del>></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><br /><center>'''Article 42 - Certification'''</center></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><span id="1">1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.</span></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><span id="1">1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.</span></div></td></tr>
</table>Gbhttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=18686&oldid=prevJS at 13:26, 24 August 20212021-08-24T13:26:28Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:26, 24 August 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l204">Line 204:</td>
<td colspan="2" class="diff-lineno">Line 204:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Relevant Recitals==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Relevant Recitals==</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"><span id="r100"></del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{</ins>Recital/<ins style="font-weight: bold; text-decoration: none;">119 GDPR}}</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"><div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''</del>Recital <del style="font-weight: bold; text-decoration: none;">100''' <</del>/<del style="font-weight: bold; text-decoration: none;">div></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"><div class="mw-collapsible-content"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></div></div></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Commentary==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Commentary==</div></td></tr>
</table>JShttps://gdprhub.eu/index.php?title=Article_42_GDPR&diff=18484&oldid=prevJS at 10:37, 19 August 20212021-08-19T10:37:46Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:37, 19 August 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l218">Line 218:</td>
<td colspan="2" class="diff-lineno">Line 218:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, supervisory authorities, the Board and the Commission shall encourage the “establishment of data protection certification mechanisms”. There is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), in which certification is defined as “the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.” The EDPB in its Guidelines adopt the definition found in ''EN-ISO/IEC 17000:2004 - Conformity assessment'', and define certification to mean “third party attestation related to processing operations by controllers and processors”. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 42(1) GDPR provides that Member States, supervisory authorities, the Board and the Commission shall encourage the “establishment of data protection certification mechanisms”. There is no definition of what a certification constitutes in the GDPR. Therefore, one can turn to the universal definition provided by the International Standards Organisation (ISO), in which certification is defined as “the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.” The EDPB in its Guidelines adopt the definition found in ''EN-ISO/IEC 17000:2004 - Conformity assessment'', and define certification to mean “third party attestation related to processing operations by controllers and processors”. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>However, the scope of this definition and Article 42 GDPR in general has been critiqued<del style="font-weight: bold; text-decoration: none;">[[</del>Article 42 GDPR<del style="font-weight: bold; text-decoration: none;">#%20ftn1|[1]]] </del>as being limited to the entity that engages in the processing operation. While this makes sense, insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves<del style="font-weight: bold; text-decoration: none;">[[</del>Article 42 GDPR<del style="font-weight: bold; text-decoration: none;">#%20ftn2|[2]]]</del>. <del style="font-weight: bold; text-decoration: none;"> </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>However, the scope of this definition and Article 42 GDPR in general has been critiqued<ins style="font-weight: bold; text-decoration: none;"><ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, </ins>Article 42 GDPR<ins style="font-weight: bold; text-decoration: none;">, margin number 3 (C.H. Beck 2020).</ref> </ins>as being limited to the entity that engages in the processing operation. While this makes sense, insofar as it is the data processing operation itself which is certified (as this is where the personal data is handled), one can also make the argument that certification mechanism should be extended to entities providing products or services, but not conducting data processing themselves<ins style="font-weight: bold; text-decoration: none;">.<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, </ins>Article 42 GDPR<ins style="font-weight: bold; text-decoration: none;">, margin number 3 ff. (C.H. Beck 2020)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref></ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “data protection seals and marks” to be found in the GDPR. Here general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a supervisory authority or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the Board pursuant to [[Article 63 GDPR]]. Where such an approval of criteria takes place through the Board, this may give rise to a common certification known as the “European Data Protection Seal”.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>There is also no definition of “data protection seals and marks” to be found in the GDPR. Here general definitions are to be relied upon as well. What is important to note, however, is that a certificate, seal or mark under the GDPR is only issuable following an independent assessment by a supervisory authority or accredited certification body. This is clear from Article 42(5) GDPR, which details that the criteria through which to assess the controller or processor should be approved pursuant to [[Article 58 GDPR|Article 58(3) GDPR]], or by the Board pursuant to [[Article 63 GDPR]]. Where such an approval of criteria takes place through the Board, this may give rise to a common certification known as the “European Data Protection Seal”.</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l240">Line 240:</td>
<td colspan="2" class="diff-lineno">Line 240:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A certification body must issue, review, renew and withdraw certifications (Article 42(5) GDPR and 42(7) GDPR, on the basis of the certification criteria approved by the supervisory authority or the EDPB. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A certification body must issue, review, renew and withdraw certifications (Article 42(5) GDPR and 42(7) GDPR, on the basis of the certification criteria approved by the supervisory authority or the EDPB. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>According to Article 42(7) GDPR, certification can be issued for a maximum period of three years. However, a certification body can also withdraw the certification, if the criteria for the certification are no longer being met. he certification body must provide supervisory authorities with information regarding individual certifications, as this is necessary to monitor how the certification mechanism has been applied (Article 42(7) GDPR, [[Article 43 GDPR|Article 43(5) GDPR]], and [[Article 58 GDPR|Article 58(2)(h) GDPR]])<del style="font-weight: bold; text-decoration: none;">[[Article </del>42 <del style="font-weight: bold; text-decoration: none;">GDPR#%20ftn3|</del>[<del style="font-weight: bold; text-decoration: none;">3]]</del>]. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>According to Article 42(7) GDPR, certification can be issued for a maximum period of three years. However, a certification body can also withdraw the certification, if the criteria for the certification are no longer being met. he certification body must provide supervisory authorities with information regarding individual certifications, as this is necessary to monitor how the certification mechanism has been applied (Article 42(7) GDPR, [[Article 43 GDPR|Article 43(5) GDPR]], and [[Article 58 GDPR|Article 58(2)(h) GDPR]])<ins style="font-weight: bold; text-decoration: none;">.<ref>EDPB, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles </ins>42 <ins style="font-weight: bold; text-decoration: none;">and 43 of the Regulation, 4 June 2019, p. 11 (available </ins>[<ins style="font-weight: bold; text-decoration: none;">https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here</ins>]<ins style="font-weight: bold; text-decoration: none;">)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref></ins> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Certification Through a Supervisory Authority ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Certification Through a Supervisory Authority ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Where a supervisory authority is to conduct certification pursuant to Article 42(5) GDPR, the EDPB reminds that the supervisory authority will have to carefully assess its role regarding its assigned tasks under the GDPR<del style="font-weight: bold; text-decoration: none;">[[Article </del>42 <del style="font-weight: bold; text-decoration: none;">GDPR#%20ftn4|</del>[<del style="font-weight: bold; text-decoration: none;">4]]</del>]. In particular, the separation of powers should be taken into account, to ensure that any conflicts of interest are avoided. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Where a supervisory authority is to conduct certification pursuant to Article 42(5) GDPR, the EDPB reminds that the supervisory authority will have to carefully assess its role regarding its assigned tasks under the GDPR<ins style="font-weight: bold; text-decoration: none;">.<ref>EDPB, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles </ins>42 <ins style="font-weight: bold; text-decoration: none;">and 43 of the Regulation, 4 June 2019, p. 10 (available </ins>[<ins style="font-weight: bold; text-decoration: none;">https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here</ins>]<ins style="font-weight: bold; text-decoration: none;">)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref> </ins>In particular, the separation of powers should be taken into account, to ensure that any conflicts of interest are avoided. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The supervisory authority must both ensure that a certification mechanism has been properly set up, and that it has either developed its own or adopted a certification criterion. Furthermore, issued certifications by the supervisory authority are to be periodically reviewed (as required by [[Article 57 GDPR|Article 57(1)(o) GDPR]]). The supervisory authority can also withdraw a certification if its requirements are no longer being met (as provided for in [[Article 58 GDPR|Article 58(2)(h) GDPR]]). </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The supervisory authority must both ensure that a certification mechanism has been properly set up, and that it has either developed its own or adopted a certification criterion. Furthermore, issued certifications by the supervisory authority are to be periodically reviewed (as required by [[Article 57 GDPR|Article 57(1)(o) GDPR]]). The supervisory authority can also withdraw a certification if its requirements are no longer being met (as provided for in [[Article 58 GDPR|Article 58(2)(h) GDPR]]). </div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l250">Line 250:</td>
<td colspan="2" class="diff-lineno">Line 250:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In order for processing operations to become certified, they need to be assessed with reference to certification criteria (Article 42(5) GDPR). </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In order for processing operations to become certified, they need to be assessed with reference to certification criteria (Article 42(5) GDPR). </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>These criteria must be approved either by the competent supervisory authority, or the EDPB. The development of this certification criterion should focus on “verifiability, significance, and suitability” in order to demonstrate compliance with the GDPR<del style="font-weight: bold; text-decoration: none;">[[Article </del>42 <del style="font-weight: bold; text-decoration: none;">GDPR#%20ftn5|</del>[<del style="font-weight: bold; text-decoration: none;">5]]</del>]. The EDPB also gives guidance on which aspects are to be taken into account when drafting a certification criterion. These include:</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>These criteria must be approved either by the competent supervisory authority, or the EDPB. The development of this certification criterion should focus on “verifiability, significance, and suitability” in order to demonstrate compliance with the GDPR<ins style="font-weight: bold; text-decoration: none;">.<ref>EDPB, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles </ins>42 <ins style="font-weight: bold; text-decoration: none;">and 43 of the Regulation, 4 June 2019, p. 15 (available </ins>[<ins style="font-weight: bold; text-decoration: none;">https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here</ins>]<ins style="font-weight: bold; text-decoration: none;">)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref> </ins>The EDPB also gives guidance on which aspects are to be taken into account when drafting a certification criterion. These include:</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>· the lawfulness of processing pursuant to [[Article 6 GDPR]];</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>· the lawfulness of processing pursuant to [[Article 6 GDPR]];</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l264">Line 264:</td>
<td colspan="2" class="diff-lineno">Line 264:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>· whether a data protection impact assessment, pursuant to [[Article 35 GDPR|Article 35(7)(d) GDPR]] has been conducted, if applicable; and</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>· whether a data protection impact assessment, pursuant to [[Article 35 GDPR|Article 35(7)(d) GDPR]] has been conducted, if applicable; and</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>· the technical and organizational measures put in place pursuant to [[Article 32 GDPR]][[Article 42 GDPR#%20ftn6|[6]]].</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>· the technical and organizational measures put in place pursuant to [[Article 32 GDPR]]<ins style="font-weight: bold; text-decoration: none;"><ref>Criteria drawn from EDPB, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation, 4 June 2019, p. 15 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here]).</ref></ins>[[Article 42 GDPR#%20ftn6|[6]]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>However, these aspects may be given varying weight and consideration, depending on what the scope of the certification is. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>However, these aspects may be given varying weight and consideration, depending on what the scope of the certification is. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Approving a Certification Criterion ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Approving a Certification Criterion ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>When a supervisory authority is responsible for approving the certification criterion, it must do so prior to or during the accreditation process for a certification body<del style="font-weight: bold; text-decoration: none;">[[Article </del>42 <del style="font-weight: bold; text-decoration: none;">GDPR#%20ftn7|</del>[<del style="font-weight: bold; text-decoration: none;">7]]</del>]. A supervisory authority must not discriminate towards an entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make publicly available its procedure for approval. Once the certification criterion has been approved by the supervisory authority, a certification body can only issue certification in a Member State in accordance with that criteria. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>When a supervisory authority is responsible for approving the certification criterion, it must do so prior to or during the accreditation process for a certification body<ins style="font-weight: bold; text-decoration: none;">.<ref>EDPB, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles </ins>42 <ins style="font-weight: bold; text-decoration: none;">and 43 of the Regulation, 4 June 2019, p. 12 (available </ins>[<ins style="font-weight: bold; text-decoration: none;">https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here</ins>]<ins style="font-weight: bold; text-decoration: none;">)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref> </ins>A supervisory authority must not discriminate towards an entity, and must ensure that it handles all requests for approval of certification criteria fairly. It must also make publicly available its procedure for approval. Once the certification criterion has been approved by the supervisory authority, a certification body can only issue certification in a Member State in accordance with that criteria. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Alternatively, the certification criterion can also be approved by the EDPB (in which case it will form a European Data Protection Seal). However, such creation and approval of a European Data Protection Seal may prove complicated and will be subject to continuous change, as an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a criterion has been identified as suitable for a common certification, and has also been approved by the Board, then certification bodies “may be accredited to conduct certification under these criteria at Union level”<del style="font-weight: bold; text-decoration: none;">[[Article </del>42 <del style="font-weight: bold; text-decoration: none;">GDPR#%20ftn8|</del>[<del style="font-weight: bold; text-decoration: none;">8]]</del>]. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Alternatively, the certification criterion can also be approved by the EDPB (in which case it will form a European Data Protection Seal). However, such creation and approval of a European Data Protection Seal may prove complicated and will be subject to continuous change, as an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific. Once a criterion has been identified as suitable for a common certification, and has also been approved by the Board, then certification bodies “may be accredited to conduct certification under these criteria at Union level”<ins style="font-weight: bold; text-decoration: none;">.<ref>EDPB, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles </ins>42 <ins style="font-weight: bold; text-decoration: none;">and 43 of the Regulation, 4 June 2019, p. 14 (available </ins>[<ins style="font-weight: bold; text-decoration: none;">https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf here</ins>]<ins style="font-weight: bold; text-decoration: none;">)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== What Processing Operations can be Certified Under the GDPR ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== What Processing Operations can be Certified Under the GDPR ===</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l292">Line 292:</td>
<td colspan="2" class="diff-lineno">Line 292:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Conclusion ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Conclusion ===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Certification is an accountability framework through which controllers and processors can demonstrate their compliance with the GDPR. Although certification mechanisms are a step towards compliance, heavy emphasis is placed on the notion that in itself, certification cannot substitute for compliance with existing legal obligations. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Certification is an accountability framework through which controllers and processors can demonstrate their compliance with the GDPR. Although certification mechanisms are a step towards compliance, heavy emphasis is placed on the notion that in itself, certification cannot substitute for compliance with existing legal obligations. </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">----[[Article 42 GDPR#%20ftnref1|[1]]] Kühling & Buchner, ''Datenschutz Grundverordnung / BDSG'', 2018, pg. 796.</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Article 42 GDPR#%20ftnref2|[2]]] Kühling & Buchner, pg. 796.</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Article 42 GDPR#%20ftnref3|[3]]] European Data Protection Board (EDPB), ''Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation, 4 June 2019'', pg. 11. </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Article 42 GDPR#%20ftnref4|[4]]] EDPB Guidelines 1/2018, pg. 10. </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Article 42 GDPR#%20ftnref5|[5]]] EDPB Guidelines 1/2018, pg. 15. </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Article 42 GDPR#%20ftnref6|[6]]] Criteria drawn from EDPB Guidelines 1/2018, pg. 15.</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Article 42 GDPR#%20ftnref7|[7]]] EDPB Guidelines 1/2018, pg. 12. </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Article 42 GDPR#%20ftnref8|[8]]] EDPB Guidelines 1/2018, pg. 14. </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Decisions==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Decisions==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>→ You can find all related decisions in [[:Category:Article 42 GDPR]]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>→ You can find all related decisions in [[:Category:Article 42 GDPR]]</div></td></tr>
</table>JS