Article 42
Certification

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 42 keyboard_arrow_down Hide the recitals of the Regulation related to article 42 keyboard_arrow_up

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

(100) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

There is no recital in the Directive related to article 42.

The GDPR

Article 42 of the Regulation - supplemented by Article 43 - implements a mechanism of certification to assist the controllers and processors required to comply with the protection rules. These are actually increasingly complex and heavy to implement, their contents often depending on the circumstances and taking shape depending on various parameters only (purposes, types of data, etc.).

This is why the Regulation advocates not only the encouragement by the Member States, the European Data Protection Board, the Commission, the supervisory authorities of the implementation of mechanisms of certification as well as marks and labels. The purpose is to certify the compliance of the processing pursued by the controllers or the processors. The Regulation insists that the specific needs of micro, small and medium-sized enterprises are taken into consideration as they are inevitably less armed to deal with implementation.

These mechanisms may also be used specifically to demonstrate the existence of appropriate safeguards provided by the controllers and the processors who are not subject to the Regulation under article 3, or in the context of transfers of personal data to a third country or an organization, in the absence of a decision on adequacy taken by the Commission (Article 42 (2)). Such controllers or processors shall make binding and enforceable commitments to apply those appropriate safeguards, including with regard to the rights of data subjects.

The final version of the Regulation adds a third paragraph to Article 42 under which the certification shall be voluntary and available via a process that is transparent. The controller or processor which submits its processing to the certification mechanism shall provide the certification body or the competent supervisory authority with all information and access to its processing activities which are necessary to conduct the certification procedure (paragraph 6).

The certification cannot reduce in any case the responsibility of the controllers and the processors. It is without prejudice to the tasks and powers of the supervisory authorities which are competent (Article 42 (4)).

The certification can be issued only by a specially authorised body in accordance with  Article 43 or, where applicable, by the competent supervisory authority in application of Article 55, or by the data protection board brought to intervene in application of Article 63 with, in this case, recognition by a potential European label.

Of course, the controller or the processor who submits his processing to the certification mechanism is subject to a duty to communicate specific information to the certification or supervisory authority. They must also provide access to the processing activities that are necessary to conduct the certification procedure (paragraph 3).

The certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

Finally, the European Data Protection Board shall collate all certification mechanisms and data protection marks in a register. Such register shall be made publicly available by any appropriate means.

The Directive

There is no corresponding provision in the Directive.

Potential issues

There is no doubt that the certification mechanisms can be very useful to controllers and processors who may find it difficult to assess the compliance of their processing to the Regulation (security level, specific safeguards obtained by a processor, etc.).

It is not clear yet how the assertion of this certification would impact on the responsibility of the controller or the processor. The purpose for them would be exactly to pass through the certification to limit their responsibility and the certification could, even should be taken into consideration by those who assess the responsibility, in any assumption if the contentious legal duty has an undetermined scope (take sufficient safeguards, for example). It is true that the objectification of responsibility under article 82 of the Regulation must be taken into account.

We are not certain that it is appropriate to provide that the supervisory authority can both issue certifications, approvals - that it defines the criteria for - and implement the control of the compliance of processing. There is a mix of roles that could adversely affect its independence.

Regulation
1e 2e

Art. 42

1.   The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2.   In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

3.   The certification shall be voluntary and available via a process that is transparent.

4.   A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.

5.   A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

6.   The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

7.   Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

8.   The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

1st proposal close

Art. 39

1.           The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.

2.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.

3.           The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

2nd proposal close

Art. 39

1. The Member States, the European Data Protection Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks for the purpose of demonstrating compliance with this Regulation of processing operations carried out by controllers and processors.

The specific needs of micro, small and medium-sized enterprises shall be taken into account.

1a. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 2a may also be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation according to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(e). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards, including as regards data subjects’ rights

2. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2a. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority on the basis of the criteria approved by the competent supervisory authority or, pursuant to Article 57, the European Data Protection Board.

3. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 39a, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

4. The certification shall be issued to a controller or processor for a maximum period of 3 years and may be renewed under the same conditions as long as the relevant requirements continue to be met. It shall be withdrawn by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority where the requirements for the certification are not or no longer met.

5. The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.

Directive close

No specific provision.

close