Author: Irene Kamara

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
3. The certification shall be voluntary and available via a process that is transparent.
4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met.
8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

 

I. Rationale

Art. 42, together with Art. 43, sets out provisions on certification and certification bodies. Art. 42 is part of Chapter IV on Controller and Processor obligations and responsibilities. The Article regulates the development of data protection certification mechanisms, seals, and marks. Similar to the Data Protection Impact Assessments (Art. 35) and Codes of Conduct (Art. 40), certification is seen as an accountability instrument, which was inserted in the GDPR to assist controllers comply and demonstrate their compliance with the obligations stemming from the Regulation, in line with the principle of Art. 5(2) GDPR.[1] According to the EDPB, certification may provide reliable evidence of data protection compliance.[2] In addition, certifications may offer a competitive advantage to controllers or processors in the area of data protection. Art. 42 and 43 introduce a certification framework that takes into account the existing certification practice and legislation, but also accounts for the fundamental rights nature of the right to the protection of personal data, by introducing several safeguards to prevent abuse of the certification provisions, including regulatory approval and oversight.[3]

 

II. Legislative history

The DPD did not include provisions on certification.[4] The Commission proposal[5] introduced provisions on certification in Art. 39. Art. 39 provided that Member States and the Commission should encourage the establishment of data protection certification mechanisms, and of data protection seals and marks. The envisaged aim of certification was to enable data subjects to “quickly assess the level of data protection offered by controllers and processors”. Certifications, as the Codes of Conduct in the Data Protection Directive, would also tackle specificities of data processing operations in different sectors. The Commission proposal did not specify actors, processes, criteria, or safeguards for certification. Instead, it empowered the Commission to adopt delegated acts with the aim to specify criteria and requirements for data protection certification mechanisms, seals, and marks, along with conditions for granting, withdrawal, and recognition of the certifications in the Member States and outside the EU. The European Commission would further have the power to adopt implementing acts in line with Regulation 182/2011 to lay down technical standards and mechanisms to promote certifications.[6]

The European Parliament[7] had a different vision of certification in the area of data protection than the Commission. The Parliament in its first reading included detailed provisions on the role of supervisory authorities, the procedure, and the legal significance of certification to be established based on the GDPR. According to Art. 39 of the Parliament first reading, the supervisory authorities of the Member States would grant controllers and processors certification attesting that they were processing personal data in compliance with the Regulation. The applicant controllers and processors would be granted a standardised data protection mark called “European Data Protection Seal”, if compliant with the GDPR. The auditing of controllers and processors would have been possible to be outsourced to specialised third party auditors acting on behalf of the supervisory authorities, on the conditions those auditors were accredited by the supervisory authorities and fulfilled several conditions, such as occupy qualified personnel, be impartial and free from conflicts of interest. Certification would be granted by the supervisory authorities. The Parliament First Reading maintained with amendments the provision proposed by the European Commission on delegated acts to specify criteria and requirements for the data protection certification mechanisms.

The Council General Approach[8] proposed the introduction of two articles on certification, namely Art. 39 and 39a. The Council General Approach inserted a phrase with regard to the purpose of certification in Art. 39, which would be to demonstrate compliance with the Regulation of processing operations carried out by controllers and processors. An obligation to take into account the needs of small and medium sized enterprises was introduced, however without further specifications.

 

III.        Terminology

The GDPR uses various terms in Art. 42 (and 43) which are specific to certification. Certification-related terms, however, are not defined in the text of the GDPR. While some terms are defined in other Union legislation,[9] some terms such as ‘data protection certification mechanisms’, ‘seals’ or ‘data protection seals’, and ‘marks’ in the context of Art. 42 and 43 GDPR are neither defined in the GDPR nor in other Union legislation. The lack of definitions of the main terms of Art. 42 and 43 GDPR in combination with the lack of horizontal Union legislation in the field of certification raises questions of legal certainty.

 

 

 

[…]

 

 

 

[1]Art. 29 WP 173, p.17 et seq.; EDPB 2019 p. 5.

[2]EDPB 2019 p. 5.

[3] Kamara/de Hert, p. 14.

[4]Some national laws regulating certification in specific areas of data protection existed. See Hornung (2020), p. 110.

[5]European Commission GDPR proposal (2012), COM (2012) 11 final.

[6]Regulation (EU) 182/2011.

[7]European Parliament, Legislative Resolution of 12 March 2014 on the Proposal for a General Data Protection Regulation, 2012/0011(COD).

[8]Council of the European Union (2015), 2012/0011 (COD); 9565/15.

[9]See → Art. 43, Section III.