Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

SECTION 2  THE ROLE OF THE SUPERVISORY AUTHORITIES

20. Article 42(5) provides that certification shall be issued by an accredited certification body or by a competent supervisory authority. The GDPR does not make the issuance of certifications a mandatory task of the supervisory authorities. Instead, the GDPR allows for a number of different models. For example, a supervisory authority may decide for one or more of the following options:

• issue certification itself, in respect of its own certification scheme;

• issue certification itself, in respect of its own certification scheme, but delegate whole or part of the assessment process to third parties;

• create its own certification scheme, and entrust certification bodies with the certification procedure which issue the certification; and

• encourage the market to develop certification mechanisms.

21. A supervisory authority will also have to consider its role in the light of the decisions made at the national level concerning accreditation mechanisms – in particular if the supervisory authority itself is empowered to accredit certification bodies under Article 43(1) GDPR. Thus each supervisory authority will determine which approach to take in order to pursue the broad intent of certification under the GDPR. This will be determined in the context of not only the tasks and powers in Articles 57 and 58, but also in accounting for certification as a factor to be taken into account in determining administrative fines, and more generally as a means of demonstrating compliance.