menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Poland) language
Contact our local member in Poland mail_outline
Visit the website of GKR Legal account_balance

arrow_backPrevious Article
Article 42
Next Articlearrow_forward

Certification

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 42 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 42 keyboard_arrow_up

Key words related to article 42

Show the recitals of the Regulation related to article 42 keyboard_arrow_down Hide the recitals of the Regulation related to article 42 keyboard_arrow_up

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

(100) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

There is no recital in the Directive related to article 42.

The GDPR

Article 42 of the Regulation - supplemented by Article 43 - implements a mechanism of certification to assist the controllers and processors required to comply with the protection rules. These are actually increasingly complex and heavy to implement, their contents often depending on the circumstances and taking shape depending on various parameters only (purposes, types of data, etc.).

This is why the Regulation advocates not only the encouragement by the Member States, the European Data Protection Board, the Commission, the supervisory authorities of the implementation of mechanisms of certification as well as marks and labels. The purpose is to certify the compliance of the processing pursued by the controllers or the processors. The Regulation insists that the specific needs of micro, small and medium-sized enterprises are taken into consideration as they are inevitably less armed to deal with implementation.

These mechanisms may also be used specifically to demonstrate the existence of appropriate safeguards provided by the controllers and the processors who are not subject to the Regulation under article 3, or in the context of transfers of personal data to a third country or an organization, in the absence of a decision on adequacy taken by the Commission (Article 42 (2)). Such controllers or processors shall make binding and enforceable commitments to apply those appropriate safeguards, including with regard to the rights of data subjects.

The final version of the Regulation adds a third paragraph to Article 42 under which the certification shall be voluntary and available via a process that is transparent. The controller or processor which submits its processing to the certification mechanism shall provide the certification body or the competent supervisory authority with all information and access to its processing activities which are necessary to conduct the certification procedure (paragraph 6).

The certification cannot reduce in any case the responsibility of the controllers and the processors. It is without prejudice to the tasks and powers of the supervisory authorities which are competent (Article 42 (4)).

The certification can be issued only by a specially authorised body in accordance with  Article 43 or, where applicable, by the competent supervisory authority in application of Article 55, or by the data protection board brought to intervene in application of Article 63 with, in this case, recognition by a potential European label.

Of course, the controller or the processor who submits his processing to the certification mechanism is subject to a duty to communicate specific information to the certification or supervisory authority. They must also provide access to the processing activities that are necessary to conduct the certification procedure (paragraph 3).

The certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

Finally, the European Data Protection Board shall collate all certification mechanisms and data protection marks in a register. Such register shall be made publicly available by any appropriate means.

The Directive

There is no corresponding provision in the Directive.

Potential issues

There is no doubt that the certification mechanisms can be very useful to controllers and processors who may find it difficult to assess the compliance of their processing to the Regulation (security level, specific safeguards obtained by a processor, etc.).

It is not clear yet how the assertion of this certification would impact on the responsibility of the controller or the processor. The purpose for them would be exactly to pass through the certification to limit their responsibility and the certification could, even should be taken into consideration by those who assess the responsibility, in any assumption if the contentious legal duty has an undetermined scope (take sufficient safeguards, for example). It is true that the objectification of responsibility under article 82 of the Regulation must be taken into account.

We are not certain that it is appropriate to provide that the supervisory authority can both issue certifications, approvals - that it defines the criteria for - and implement the control of the compliance of processing. There is a mix of roles that could adversely affect its independence.

arrow_back Previous ArticleArticle 42Next Article arrow_forward
arrow_back Previous ArticleArticle 42 Next Article arrow_forward

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines in accordance with Articles 42 and 43 of the Regulation - 1/2018 (4 June 2019)

Before the adoption of the GDPR, the Article 29 Working Party established that certification could play an important role in the accountability framework for data protection. In order for certification to provide reliable evidence of data protection compliance, clear rules setting forth requirements for the provision of certification should be in place. Article 42 of the GDPR provides the legal basis for the development of such rules.

Certification mechanisms can improve transparency for data subjects, but also in business-to-business relations, for example between controllers and processors. Recital 100 of the GDPR states that the establishment of certification mechanisms can enhance transparency and compliance with the Regulation and allow data subjects to assess the level of data protection of relevant products and services.

The GDPR does not introduce a right to or an obligation of certification for controllers and processors; as per Article 42(3), certification is a voluntary process to assist in demonstrating compliance with the GDPR. Member States and supervisory authorities are called to encourage the establishment of certification mechanisms and will determine the stakeholder engagement in the certification process and lifecycle.

The primary aim of these guidelines is to identify overarching requirements and criteria that may be relevant to all types of certification mechanisms issued in accordance with Articles 42 and 43 of the GDPR. To this end, the guidelines:

  • explore the rationale for certification as an accountability tool
  • explain the key concepts of the certification provisions in Articles 42 and 43
  • and explain the scope of what can be certified under Articles 42 and 43 and the purpose of certification
  • facilitate that the outcome of certification is meaningful, unambiguous, as reproducible as possible and comparable regardless of the certifier (comparability)

Link

Guidelines 07/2022 on certification as a tool for transfers (14 June 2022)

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR).

These guidelines provide guidance as to the application of Article 46 (2) (f) of the GDPR on transfers of personal data to third countries or to international organisations on the basis of certification. The document is structured in four sections with an Annex.

Part one of this document ("GENERAL") clarifies that the guidelines supplement the already existing general Guidelines 1/2018 on certification and addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool. According to Article 44 of the GDPR, any transfer of personal data to third countries or international organisations, must meet the conditions of the other provisions of the GDPR in addition to complying with Chapter V of the GDPR. Therefore, as a first step, compliance with the general provisions of the GDPR must be ensured and, as a second step, the provisions of Chapter V of the GDPR must be complied with. The actors who are involved and their core roles in this context are described, with a special focus on the role of the data importer who will be granted a certification and of the data exporter who will use it as a tool to frame its transfers (considering that the responsibility for data processing compliance remains with the data exporter). In this context the certification can also include additional measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Part one of the guidelines also contains information on the process for obtaining a certification to be used as tool for transfers.

The second part of these guidelines (“IMPLEMENTING GUIDANCE ON THE ACCREDITATION REQUIREMENTS”) recalls that the requirements for accreditation of a certification body are to be found in ISO 17065 and by interpreting the Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR and its Annex against the background of Chapter V. However, in the context of a transfer, these guidelines further explain some of the accreditation requirements applicable to the certification body.

The third part of these guidelines ("SPECIFIC CERTIFICATION CRITERIA") provides for guidance on the certification criteria already listed in Guidelines 1/2018 and establishes additional specific criteria that should be included in a certification mechanism to be used as a tool for transfers to third countries. These criteria cover the assessment of the third country legislation, the general obligations of exporters and importers, rules on onward transfers, redress and enforcement, process and actions for situations in which national legislation and practices prevents compliance with commitments taken as part of certification and requests for data access by third country authorities.

Part four of these guidelines (“BINDING AND ENFORCEABLE COMMITMENTS TO BE IMPLEMENTED“) provides elements that should be addressed in the binding and enforceable commitments that controllers or processors not subject to the GDPR should take for the purpose of providing appropriate safeguards to data transferred to third countries. These commitments, which may be set out in different instruments including contracts, shall in particular include a warranty that the importer has no reason to believe that the laws and practices in the third country applicable to the processing at stake, including any requirements to disclose personal data or measures authorising access by public authorities, prevent it from fulfilling its commitments under the certification.

The ANNEX of these guidelines contains some examples of supplementary measures in line with those listed in Annex II Recommendations 01/2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data) in the context of the use of a certification as a tool for transfers.

Link

Guidelines 07/2022 on certification as a tool for transfers (14 February 2023)

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR).

These guidelines provide guidance as to the application of Article 46 (2) (f) of the GDPR on transfers of personal data to third countries or to international organisations on the basis of certification. The document is structured in four sections with an Annex.

Part one of this document ("GENERAL") clarifies that the guidelines supplement the already existing general Guidelines 1/2018 on certification and addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool. According to Article 44 of the GDPR, any transfer of personal data to third countries or international organisations, must meet the conditions of the other provisions of the GDPR in addition to complying with Chapter V of the GDPR. Therefore, as a first step, compliance with the general provisions of the GDPR must be ensured and, as a second step, the provisions of Chapter V of the GDPR must be complied with. The actors who are involved and their core roles in this context are described, with a special focus on the role of the data importer who will be granted a certification and of the data exporter who will use it as a tool to frame its transfers (considering that the responsibility for data processing compliance remains with the data exporter). In this context the certification can also include measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Part one of the guidelines also contains information on the process for obtaining a certification to be used as tool for transfers.

The second part of these guidelines (“IMPLEMENTING GUIDANCE ON THE ACCREDITATION REQUIREMENTS”) recalls that the requirements for accreditation of a certification body are to be found in ISO 17065 and by interpreting the Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR and its Annex against the background of Chapter V. However, in the context of a transfer, these guidelines further explain some of the accreditation requirements applicable to the certification body.

The third part of these guidelines ("SPECIFIC CERTIFICATION CRITERIA") provides for guidance on the certification criteria already listed in Guidelines 1/2018 and establishes additional specific criteria that should be included in a certification mechanism to be used as a tool for transfers to third countries. These criteria cover the assessment of the third country legislation, the general obligations of exporters and importers, rules on onward transfers, redress and enforcement, process and actions for situations in which national legislation and practices prevents compliance with commitments taken as part of certification and requests for data access by third country authorities.

Part four of these guidelines (“BINDING AND ENFORCEABLE COMMITMENTS TO BE IMPLEMENTED“) provides elements that should be addressed in the binding and enforceable commitments that controllers or processors not subject to the GDPR should take for the purpose of providing appropriate safeguards to data transferred to third countries. These commitments, which may be set out in different instruments including contracts, shall in particular include a warranty that the importer has no reason to believe that the laws and practices in the third country applicable to the processing at stake, including any requirements to disclose personal data or measures authorising access by public authorities, prevent it from fulfilling its commitments under the certification.

The ANNEX of these guidelines contains some examples of supplementary measures in line with those listed in Annex II Recommendations 01/2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data) in the context of the use of a certification as a tool for transfers. Examples are constructed with a view to raise attention to critical situations. 

Link

Retour au sommaire
arrow_back Previous Article Article 42 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 42 Next Article arrow_forward
Regulation
1e 2e

Art. 42

1.   The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2.   In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

3.   The certification shall be voluntary and available via a process that is transparent.

4.   A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.

5.   A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

6.   The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

7.   Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.

8.   The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.
1st proposal close

Art. 39

1.           The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.

2.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.

3.           The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
2nd proposal close

Art. 39

1. The Member States, the European Data Protection Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks for the purpose of demonstrating compliance with this Regulation of processing operations carried out by controllers and processors.

The specific needs of micro, small and medium-sized enterprises shall be taken into account.

1a. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 2a may also be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation according to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(e). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards, including as regards data subjects’ rights

2. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2a. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority on the basis of the criteria approved by the competent supervisory authority or, pursuant to Article 57, the European Data Protection Board.

3. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 39a, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

4. The certification shall be issued to a controller or processor for a maximum period of 3 years and may be renewed under the same conditions as long as the relevant requirements continue to be met. It shall be withdrawn by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority where the requirements for the certification are not or no longer met.

5. The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.
Directive close

No specific provision.
Poland
compare_arrows
visibility Old law

Starting from May 25, 2018 GDPR came into force and is fully applicable in Poland. 

The Act on Protection of Personal Data of 29th August 1997 [unified text: Journal of Laws 2015, item 2135, 2281] is not in force since May 25, 2018. It was replaced by new regulation - The Act on Personal Data Protection of 10th May 2018, which implements GDPR in Poland. 

Chapter 4. of The Act on Personal Data Protection of 10th May 2018 [Conditions and procedure for certification]

Article 15 [Rules for certification]

1. Certification referred to in Article 42 of Regulation (EU) 2016/679, hereinafter “certification”, shall be carried out by the President of the Office or by a certification body, upon application by the controller, the processor, the manufacturer, or the entity placing a service or a product on the market.

2. Certification shall be carried out in accordance with the rules laid down in Regulation (EU) 2016/679.

3. In matters relating to certification carried out by a certification body which are not regulated in Regulation (EU) 2016/679 or in this Act, the provisions of the civil-law agreement concluded between the certification body and the applicant for certification shall apply.

Article 16 [Publication by the President of the Office of certification criteria]
The President of the Office shall make available, on his/her official website in the Public Information Bulletin, the certification criteria referred to in Article 42(5) of Regulation (EU) 2016/679.

Article 17 [Application for certification]

An application for certification shall contain at least:

  1. the name of the applicant for certification or his/her first name and surname, and an indication of the address of its registered office, the address of the place of business activity, or the address of residence;
  2. information confirming compliance with the certification criteria;
  3. an indication of the scope of the requested certification.

2. Documents confirming compliance with the certification criteria, or copies thereof, shall be attached to the application and, where certification is carried out by the President of the Office, proof of payment of the fee referred to in Article 26.

3. The application shall be submitted in writing either in paper form bearing a handwritten signature or in electronic form bearing a qualified electronic signature. An application submitted to the President of the Office in electronic form shall bear a qualified electronic signature or a signature confirmed by a trusted profile (ePUAP).

Article 18 [Time limit for examining an application for certification]

1. The President of the Office or the certification body shall examine the application for certification and, no later than within 3 months from the date of submission of an application compliant with Article 17, after verifying compliance with the certification criteria, shall notify the applicant of the granting or refusal of certification.

2. An application submitted to the President of the Office that does not contain the information referred to in Article 17(1)(1) shall be left unexamined. Where the application does not contain the information referred to in Article 17(1)(2) or (3), or does not meet the requirements referred to in Article 17(2) or (3), the President of the Office shall request the applicant to supplement it, together with an instruction that failure to do so within 7 days from service of the request will result in the application being left unexamined.

Article 19 [Obligation to inform the President of the Office of the intended granting or intended refusal of certification]
Before granting certification or refusing certification, the certification body shall inform the President of the Office of the intended granting or intended refusal of certification.

Article 20 [Grounds for refusal of certification]

1. Where it is established that the applicant for certification does not meet the certification criteria, the President of the Office or the certification body shall refuse to grant certification.

2. A refusal to grant certification by the President of the Office shall be made by way of a decision.

3. The certification body shall draw up and make available to interested entities a procedure to be followed in the event of a refusal to grant certification.

Article 21 [Certificate]

The document confirming certification shall be a certificate.

The certificate shall contain at least:

  1. identification of the entity to which the certificate was issued;
  2. the name of the entity carrying out certification and the address of its registered office;
  3. the number or designation of the certificate;
  4. the scope, including the period for which certification was granted;
  5. the date of issue and the signature of the entity carrying out certification or a person authorised by it.

Article 22 [Obligation of the certified entity to comply with the certification criteria]

1. During the period for which certification was granted, the entity to which certification was granted shall be obliged to comply with the certification criteria applicable on the date of issue of the certificate.

2. The President of the Office or the certification body shall withdraw certification where it is established that the entity to which certification was granted does not meet or has ceased to meet the certification criteria.

3. Withdrawal of certification by the President of the Office shall be made by way of a decision.

Article 23 [Register of entities granted certification]

1. The certification body shall provide the President of the Office with the data of the entity to which certification was granted and of the entity whose certification was withdrawn, together with an indication of the reason for the withdrawal.

2. The President of the Office shall keep a publicly accessible register of the entities referred to in paragraph 1.

3. The President of the Office shall enter an entity in the register without delay after granting certification or after receiving information that certification has been granted by a certification body.

4. The President of the Office shall make the register available on his/her official website in the Public Information Bulletin and shall keep it up to date.

Article 24 [Verification activities]

1. Within the time limit referred to in Article 18(1), and also after certification has been granted, the President of the Office shall be entitled, for the purpose of assessing whether the entity complies with the certification criteria, to carry out verification activities at the controller, the processor, the manufacturer, or the entity placing a service or a product on the market.

2. The President of the Office shall notify the entity referred to in paragraph 1 of the intention to carry out verification activities.

3. Verification activities shall be carried out not earlier than after 7 days and not later than before 30 days from the date of service of the notification referred to in paragraph 2. If the verification activities are not carried out within 30 days from the date of service of the notification, their performance shall require a renewed notification.

4. Verification activities shall be carried out on the basis of a personal authorisation issued by the President of the Office, which shall include:

  1. the first name and surname of the person carrying out the verification activities;
  2. identification of the controller, the processor, the manufacturer, or the entity placing a service or a product on the market;
  3. the legal basis for carrying out the verification activities;
  4. the scope of the verification activities;
  5. the date and place of issue;
  6. the signature of the person authorised to issue the authorisation on behalf of the President of the Office.

Article 25 [Powers of the person carrying out verification activities]

1. The person carrying out verification activities shall be entitled to:

  1. enter the land and the buildings, premises or other rooms during the working days and hours of the controller, the processor, the manufacturer, or the entity placing a service or a product on the market;
  2. inspect documents and information directly related to the activity covered by certification;
  3. examine devices, media and IT or ICT systems used for data processing;
  4. request oral or written explanations in matters related to the activity covered by certification.
  5. Verification activities shall be carried out in the presence of the controller, the processor, the manufacturer, or the entity placing a service or a product on the market, or a person authorised by that entity.

2. A report shall be drawn up of the verification activities and presented to the controller, the processor, the manufacturer, or the entity placing a service or a product on the market. Article 88 shall apply mutatis mutandis.

Article 26 [Fee for certification-related activities]

1. The President of the Office shall charge a fee for certification-related activities, the amount of which shall correspond to the estimated costs incurred in carrying out those activities.

2. When determining the amount of the fee, the President of the Office shall take into account the scope of certification, the anticipated course and duration of the certification procedure, and the cost of the work of the employee performing certification-related activities.

3. The maximum amount of the fee shall not exceed four times the average remuneration in the national economy in the calendar year preceding the year in which the application for certification is submitted, as announced by the President of the Central Statistical Office pursuant to Article 20(1)(a) of the Act of 17 December 1998 on pensions and disability pensions from the Social Insurance Fund (Journal of Laws of 2018, item 1270, as amended).

4. The President of the Office shall publish, on his/her official website in the Public Information Bulletin, the amount of the fee that the entity referred to in Article 15 is obliged to pay in respect of certification-related activities.

5. The fee shall constitute revenue of the State budget.
Old law close

No (special) provision in Poland.
arrow_back Previous ArticleArticle 42 Next Article arrow_forward
close

2016 - www.itiplaw.eu.