Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 1  INTRODUCTION

1. The General Data Protection Regulation (Regulation 2016/279, ‘the GDPR’, or ‘the Regulation’), provides a modernised, accountability and fundamental rights compliance framework for data protection in Europe. A range of measures that facilitate compliance with the provisions of the GDPR are central to this new framework. These include mandatory requirements in specific circumstances (including the appointment of Data Protection Officers and carrying out data protection impact assessments) and voluntary measures such as codes of conduct and certification mechanisms.

2. Before the adoption of the GDPR, the Article 29 Working Party established that certification could play an important role in the accountability framework for data protection. In order for certification to provide reliable evidence of data protection compliance, clear rules setting forth requirements for the provision of certification should be in place. Article 42 of the GDPR provides the legal basis for the development of such rules.

3. Article 42(1) of the GDPR provides that:

• “The Member States, the supervisory authorities, the [European Data Protection] Board and the European Commission shall encourage, in particular at the Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account”. 

4. Certification mechanisms can improve transparency for data subjects, but also in business-to-business relations, for example between controllers and processors. Recital 100 of the GDPR states that the establishment of certification mechanisms can enhance transparency and compliance with the Regulation and allow data subjects to assess the level of data protection of relevant products and services.

5. The GDPR does not introduce a right to or an obligation of certification for controllers and processors; as per Article 42(3), certification is a voluntary process to assist in demonstrating compliance with the GDPR. Member States and supervisory authorities are called to encourage the establishment of certification mechanisms and will determine the stakeholder engagement in the certification process and lifecycle.

6. Furthermore, the adherence to approved certification mechanisms is a factor supervisory authorities must consider as an aggravating or mitigating factor when deciding to impose an administrative fine and when deciding on the amount of the fine (Article 83.2(j)).