Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default

SECTION 4  CERTIFICATION

81. According to Article 25(3), certification of data protection by design pursuant to Article 42 may be used as an element to demonstrate compliance with DPbDD. This means that where a controller has been awarded a certification, supervisory authorities will take this into account in their global assessment of compliance with the GDPR, specifically with regards to DPbDD. However, supervisory authorities must still carry out independent assessments of DPbDD compliance based on the criteria set out in Chapter 2 of these Guidelines.

82. When a processing operation is certified according to Article 42, the elements that contribute to demonstrating compliance with Article 25(1) and (2) are the design processes, i.e. the process of determining the means of processing, the governance and organisational compliance approach to the processing operation, the selection of effective measures and safeguards in the context of the processing operation. The data protection certificationcriteria are determined by the certification bodies or certification scheme owners and then approved by the competent supervisory authority or by the EDPB in case of a European Data Protection Seal. For further information about certification mechanisms, we refer the reader to the EDPB Guideline on Certification.