Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 1.2  The purpose of certification under the GDPR

11. Article 42(1) provides that certification mechanisms shall be established “for the purpose of demonstrating compliance withthis Regulation of processing operations by controllers and processors”.

12. The GDPR exemplifies the context in which approved certification mechanisms may be used as an element to demonstrate compliance with obligations of the controllers and processors concerning:

• the implementation and demonstration of appropriate technical and organisational measures as referred in Articles 24 (1),(3), 25, and 32 (1), (3);

• sufficient guarantees (processor to controller) as referred to in paragraphs 1 and (sub-processor to processor) 4 of Article 28 (5).

13. Since certification does not prove compliance in and of itself but rather forms an element that can be used to demonstrate compliance, it should be produced in a transparent manner. Demonstration of compliance requires supporting documentation, specifically written reports which not only repeat but describe how the criteria are met and if not initially met, describe the corrections and corrective actions and their appropriateness, thus providing the reasonsfor granting and maintaining the certification. This includes the outline of the individual decision for granting, renewing, or withdrawing of a certificate. It should provide the reasons, arguments, and proofs resulting from the application of criteria and the conclusions, judgments, or inferences from facts or premises collected during certification.