Article 42
Certification

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 42 keyboard_arrow_down Hide the recitals of the Regulation related to article 42 keyboard_arrow_up

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

(100) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

There is no recital in the Directive related to article 42.

The GDPR

Article 42 of the Regulation - supplemented by Article 43 - implements a mechanism of certification to assist the controllers and processors required to comply with the protection rules. These are actually increasingly complex and heavy to implement, their contents often depending on the circumstances and taking shape depending on various parameters only (purposes, types of data, etc.).

This is why the Regulation advocates not only the encouragement by the Member States, the European Data Protection Board, the Commission, the supervisory authorities of the implementation of mechanisms of certification as well as marks and labels. The purpose is to certify the compliance of the processing pursued by the controllers or the processors. The Regulation insists that the specific needs of micro, small and medium-sized enterprises are taken into consideration as they are inevitably less armed to deal with implementation.

These mechanisms may also be used specifically to demonstrate the existence of appropriate safeguards provided by the controllers and the processors who are not subject to the Regulation under article 3, or in the context of transfers of personal data to a third country or an organization, in the absence of a decision on adequacy taken by the Commission (Article 42 (2)). Such controllers or processors shall make binding and enforceable commitments to apply those appropriate safeguards, including with regard to the rights of data subjects.

The final version of the Regulation adds a third paragraph to Article 42 under which the certification shall be voluntary and available via a process that is transparent. The controller or processor which submits its processing to the certification mechanism shall provide the certification body or the competent supervisory authority with all information and access to its processing activities which are necessary to conduct the certification procedure (paragraph 6).

The certification cannot reduce in any case the responsibility of the controllers and the processors. It is without prejudice to the tasks and powers of the supervisory authorities which are competent (Article 42 (4)).

The certification can be issued only by a specially authorised body in accordance with  Article 43 or, where applicable, by the competent supervisory authority in application of Article 55, or by the data protection board brought to intervene in application of Article 63 with, in this case, recognition by a potential European label.

Of course, the controller or the processor who submits his processing to the certification mechanism is subject to a duty to communicate specific information to the certification or supervisory authority. They must also provide access to the processing activities that are necessary to conduct the certification procedure (paragraph 3).

The certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

Finally, the European Data Protection Board shall collate all certification mechanisms and data protection marks in a register. Such register shall be made publicly available by any appropriate means.

The Directive

There is no corresponding provision in the Directive.

Potential issues

There is no doubt that the certification mechanisms can be very useful to controllers and processors who may find it difficult to assess the compliance of their processing to the Regulation (security level, specific safeguards obtained by a processor, etc.).

It is not clear yet how the assertion of this certification would impact on the responsibility of the controller or the processor. The purpose for them would be exactly to pass through the certification to limit their responsibility and the certification could, even should be taken into consideration by those who assess the responsibility, in any assumption if the contentious legal duty has an undetermined scope (take sufficient safeguards, for example). It is true that the objectification of responsibility under article 82 of the Regulation must be taken into account.

We are not certain that it is appropriate to provide that the supervisory authority can both issue certifications, approvals - that it defines the criteria for - and implement the control of the compliance of processing. There is a mix of roles that could adversely affect its independence.

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines in accordance with Articles 42 and 43 of the Regulation - 1/2018 (4 June 2019)

Before the adoption of the GDPR, the Article 29 Working Party established that certification could play an important role in the accountability framework for data protection. In order for certification to provide reliable evidence of data protection compliance, clear rules setting forth requirements for the provision of certification should be in place. Article 42 of the GDPR provides the legal basis for the development of such rules.

Certification mechanisms can improve transparency for data subjects, but also in business-to-business relations, for example between controllers and processors. Recital 100 of the GDPR states that the establishment of certification mechanisms can enhance transparency and compliance with the Regulation and allow data subjects to assess the level of data protection of relevant products and services.

The GDPR does not introduce a right to or an obligation of certification for controllers and processors; as per Article 42(3), certification is a voluntary process to assist in demonstrating compliance with the GDPR. Member States and supervisory authorities are called to encourage the establishment of certification mechanisms and will determine the stakeholder engagement in the certification process and lifecycle.

The primary aim of these guidelines is to identify overarching requirements and criteria that may be relevant to all types of certification mechanisms issued in accordance with Articles 42 and 43 of the GDPR. To this end, the guidelines:

  • explore the rationale for certification as an accountability tool
  • explain the key concepts of the certification provisions in Articles 42 and 43
  • and explain the scope of what can be certified under Articles 42 and 43 and the purpose of certification
  • facilitate that the outcome of certification is meaningful, unambiguous, as reproducible as possible and comparable regardless of the certifier (comparability)

Link

Guidelines 07/2022 on certification as a tool for transfers (14 June 2022)

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR).

These guidelines provide guidance as to the application of Article 46 (2) (f) of the GDPR on transfers of personal data to third countries or to international organisations on the basis of certification. The document is structured in four sections with an Annex.

Part one of this document ("GENERAL") clarifies that the guidelines supplement the already existing general Guidelines 1/2018 on certification and addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool. According to Article 44 of the GDPR, any transfer of personal data to third countries or international organisations, must meet the conditions of the other provisions of the GDPR in addition to complying with Chapter V of the GDPR. Therefore, as a first step, compliance with the general provisions of the GDPR must be ensured and, as a second step, the provisions of Chapter V of the GDPR must be complied with. The actors who are involved and their core roles in this context are described, with a special focus on the role of the data importer who will be granted a certification and of the data exporter who will use it as a tool to frame its transfers (considering that the responsibility for data processing compliance remains with the data exporter). In this context the certification can also include additional measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Part one of the guidelines also contains information on the process for obtaining a certification to be used as tool for transfers.

The second part of these guidelines (“IMPLEMENTING GUIDANCE ON THE ACCREDITATION REQUIREMENTS”) recalls that the requirements for accreditation of a certification body are to be found in ISO 17065 and by interpreting the Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR and its Annex against the background of Chapter V. However, in the context of a transfer, these guidelines further explain some of the accreditation requirements applicable to the certification body.

The third part of these guidelines ("SPECIFIC CERTIFICATION CRITERIA") provides for guidance on the certification criteria already listed in Guidelines 1/2018 and establishes additional specific criteria that should be included in a certification mechanism to be used as a tool for transfers to third countries. These criteria cover the assessment of the third country legislation, the general obligations of exporters and importers, rules on onward transfers, redress and enforcement, process and actions for situations in which national legislation and practices prevents compliance with commitments taken as part of certification and requests for data access by third country authorities.

Part four of these guidelines (“BINDING AND ENFORCEABLE COMMITMENTS TO BE IMPLEMENTED“) provides elements that should be addressed in the binding and enforceable commitments that controllers or processors not subject to the GDPR should take for the purpose of providing appropriate safeguards to data transferred to third countries. These commitments, which may be set out in different instruments including contracts, shall in particular include a warranty that the importer has no reason to believe that the laws and practices in the third country applicable to the processing at stake, including any requirements to disclose personal data or measures authorising access by public authorities, prevent it from fulfilling its commitments under the certification.

The ANNEX of these guidelines contains some examples of supplementary measures in line with those listed in Annex II Recommendations 01/2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data) in the context of the use of a certification as a tool for transfers.

Link

Retour au sommaire
Retour au sommaire
Regulation
1e 2e

Art. 42

1.   The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2.   In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

3.   The certification shall be voluntary and available via a process that is transparent.

4.   A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.

5.   A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

6.   The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

7.   Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

8.   The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

1st proposal close

Art. 39

1.           The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.

2.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.

3.           The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

2nd proposal close

Art. 39

1. The Member States, the European Data Protection Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks for the purpose of demonstrating compliance with this Regulation of processing operations carried out by controllers and processors.

The specific needs of micro, small and medium-sized enterprises shall be taken into account.

1a. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 2a may also be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation according to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(e). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards, including as regards data subjects’ rights

2. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2a. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority on the basis of the criteria approved by the competent supervisory authority or, pursuant to Article 57, the European Data Protection Board.

3. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 39a, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

4. The certification shall be issued to a controller or processor for a maximum period of 3 years and may be renewed under the same conditions as long as the relevant requirements continue to be met. It shall be withdrawn by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority where the requirements for the certification are not or no longer met.

5. The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.

Directive close

No specific provision.

Section 9a
Data protection audit

In order to improve data protection and data security, suppliers of data processing systems and programs and bodies conducting data processing may have their data protection strategies and their technical facilities examined and evaluated by independent and approved appraisers, and may publish the result of the audit. The detailed requirements pertaining to examination and evaluation, the procedure and selection and approval of the appraisers shall be stipulated in a separate act.

close