Article 43 GDPR
|← Article 43 - Certification bodies →|
Legal Text[edit | edit source]
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:
- (a) the supervisory authority which is competent pursuant to Article 55 or 56;
- (b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (20) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.
2. Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
- (a) demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;
- (b) undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;
- (c) established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;
- (d) established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
- (e) demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests.
3. The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of criteria approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board. The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means.
7. Without prejudice to CHAPTER VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
Relevant Recitals[edit | edit source]
You can help us fill this section!
Commentary[edit | edit source]
Article 43 GDPR explains the procedure involved in establishing certification bodies, in order to assist with the certification mechanisms laid out in Article 42 GDPR. As established in the aforementioned article, certification is a means through which controllers and processors can demonstrate compliance with their legal obligations under the GDPR. However, certification itself does not prove compliance, but rather only constitutes an element of it. To this end, certification bodies can assist controllers and processors with demonstrating their compliance by certifying their processing operations.
(1-5) The certification body[edit | edit source]
Article 43(1) GDPR states that certification bodies with an ‘appropriate level of expertise’ are to be tasked with issuing and renewing certification for processing operations, as detailed in Article 42 GDPR. Although the GDPR has not defined what would constitute this level of expertise, it seems that this may be left to the Data Protection Authority (DPA) or national accreditation body to determine. This is derived from the fact that a certification body must be accredited by either of the two aforementioned entities in order to begin certifying processing operations.
In order for a certification body to become accredited, it must demonstrate that it has the necessary elements required for accreditation, listed in Articles 43(2)(a) to (e) GDPR. The body must be able to demonstrate independence and expertise “to the satisfaction of the supervisory authority”. It must also respect the certification criteria referred to in Article 42(5) GDPR. Furthermore, it must establish procedures for both issuing, reviewing, and withdrawing certifications, and for handling complaints regarding certification infringements. Finally, the certification body must also demonstrate that its tasks and duties do not result in conflicts of interests.
Once a certification body has demonstrated these elements, it may apply to become accredited. Article 43(3) GDPR provides that the accreditation of certification bodies shall take place on the basis of the requirements (criteria) approved by the DPA or by the European Data Protection Board (EDPB). Article 43(4) states that, if an accreditation is issued, it is limited to five years in duration, and may be renewed on the same conditions provided that the certification body continues to meet the requirements for accreditation.
Once accredited, the certification body can begin to carry out its functions of issuing and renewing certifications for controllers and processors. However, as per Article 43(5), for every acceptance or withdrawal of certification that the certification body oversees, it must inform the competent DPA of its reasons for doing so. If the certification body is no longer meeting the conditions for accreditation, both the competent DPA and the national accreditation body have the right to revoke its accreditation.
(6-7) Criteria for certification to be made public[edit | edit source]
In order to promote transparency, the criteria for certification should be made public by the supervisory authority in an easily accessible form. Here, the EDPB has also stated that certification bodies using certification mechanisms, seals or marks directed towards data subjects as consumers or customers, should also provide easily accessible and intelligible information about the processing operations it has certified. The information to be made transparent should include: a description of the target of evaluation (the processing operation), reference to the approved criteria which have been applied in the particular instance, which methodology has been used for evaluating the criteria, the duration of the validity of the certificate issued.
(8-9) The role of the European Commission[edit | edit source]
Articles 43(8) GDPR and Article 43(9) GDPR equip the European Commission (Commission) with the power to adopt acts in relation to certification mechanisms. While Article 43(8) GDPR deals with delegated acts for the purpose of specifying requirements to be taken into account for certification mechanisms, Article 43(9) GDPR deals with implementing acts which lay down technical standards for certification mechanisms.
Delegated acts[edit | edit source]
The delegated acts of Article 43(8) GDPR aim to specify the requirements taken into account for certification mechanisms. The Commission has interpreted this provision as presenting the opportunity to further flesh out the GDPR with regard to data protection certification mechanisms. However, the Commission reminds that Article 290 of the Treaty on the Functioning of the European Union (TFEU) states that the content of these delegated acts should (1) complement the GDPR and be in compliance with it, and (2) only refer to non-essential elements of the legislation, which the law has not specified.
Implementing acts[edit | edit source]
Alongside the power to adopt delegated acts, the Commission also has the power to adopt implementing acts. As mentioned in Recital 167 GDPR and Article 291 TFEU, the aim of implementing acts is to “ensure uniform conditions for implementing” the GDPR. In its GDPR Certification Study, the Commission has stated that the purpose of referring to technical standards in Article 43(9) for certification mechanisms is precisely to ensure uniformity of implementation. Furthermore, Article 43(9) GDPR also allows the Commission to adopt mechanisms to promote and recognize data protection certification mechanisms, seals, and marks. This is to be read in light of Article 42(1) GDPR, which obliges the Commission to encourage the establishment of such mechanisms, seals, and marks.
Decisions[edit | edit source]
→ You can find all related decisions in Category:Article 43 GDPR
References[edit | edit source]
- EDPB, ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’, 4 June 2019 (Version 3.0), pp. 19-20 (available here).
- European Commission, ‘Data Protection Certification Mechanisms Study on Articles 42 and 43 of the Regulation (EU) 2016/679’, February 2019, pp. 26-27 (available here).
- European Commission, ‘Data Protection Certification Mechanisms Study on Articles 42 and 43 of the Regulation (EU) 2016/679’, February 2019, p. 28 (available here).