Author: Irene Kamara

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:

(a) the supervisory authority which is competent pursuant to Article 55 or 56;

(b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.

Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:

(a) demonstrated their independence and expertise in relation to the subject matter of the certification to the satisfaction of the competent supervisory authority;

(b) undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;

(c) established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;

(d) established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

(e) demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests.

3. The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63.In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board.
7. Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

 

I. Rationale

Art. 43 is part of Chapter IV on Controller and Processor obligations and responsibilities. The GDPR provides that certification bodies and supervisory authorities may issue and renew certification. While there are no specific conditions for supervisory authorities acting as certifying entities, Art. 43 provides the obligations, principles, and required competences of the certification bodies. The rationale of Art. 43 is to shield the reliability of certification by providing rules on certification bodies that grant certifications. Art. 43 describes in detail how the appropriate level of expertise of the certification bodies is ensured via accreditation, the entities conducting accreditation, and other issues pertaining to the operation of the certification bodies and the certification process. The Art. also provides the European Commission with powers to adopt delegated and implementing acts on issues related to certification. Art. 43 should be read together with Art. 42.

II. Legislative history

There is no relevant provision in the Directive. The Council General Approach first introduced a new Art. 39a, which corresponds to Art. 43. The approach proposed by the Council is very close to the final adopted text of art. 42 and 43. The newly introduced Art. 39a was dedicated to certification bodies and procedures. Art. 39a included provisions on how and by whom the certification bodies would themselves be ‘certified’ for their expertise, independence, competence to carry out a certification process (accreditation). The national accreditation body would be competent to revoke accreditation granted to a certification body.

The Council General Approach maintained the provisions on the Commission powers to adopt delegated acts for the purpose of specifying criteria and requirements, conditioned on an opinion provided by the EDPB. The provision (Art. 39 para. 2) of the Commission Proposal on the power of the Commission to lay down technical standards for certification mechanisms, seals, and marks was also maintained under Art. 39a para. 8 of the Council General Approach.

III. Terminology

The GDPR does not provide definitions on the terms used in Art. 43. Definitions of certain terms however are to be found in other Union laws. Accreditation is defined as “an attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activity” in Art. 2 para. 10 of the Regulation 765/2008. The Regulation 1025/2012, which is the horizontal general regulation on standardisation in the Union, defines a standard as a “technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory”.

IV. Accreditation entity (para. 1)

Certifications, seals and marks can be provided by certification bodies that are accredited. The accreditation procedure is not defined in the GDPR. However, Art. 43 para. 1 provides different accreditation options regarding the entity conducting the process and granting accreditation. The selection of the accreditation model is open to the Member States, according to Art. 43 para. 1.

 

 

 

[…]