Article 43
Certification bodies

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 43 keyboard_arrow_down Hide the recitals of the Regulation related to article 43 keyboard_arrow_up

(100) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

There is no recital in the Directive related to article 43.

The GDPR

[endif]-->

Article 43 of the Regulation provides that the certification is issued and renewed by a certification authority with appropriate levels of expertise, after informing the supervisory authority accordingly so that the latter can exercise the powers conferred by Article 58 (2) (h).

Under the above provision, the supervisory authority has the option to withdraw or to order the certification authority to withdraw a certificate issued on the basis of Articles 42 and 43 or even to forbid the authority to issue new certification if the requirements of the said certification are not met.  

Each Member State must determine which of the competent national supervisory authority or the national accreditation body designated in accordance with Regulation No. 765/3008 of 9 July 2008 will be competent to accredit the certification bodies (paragraph 1, a) and b)).

There are various conditions required for a certification body to get accredited:

- they shall have demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority (paragraph 2, a));

- they shall have undertaken to respect the criteria referred to in Article 42 (5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63 (paragraph 2, b));

 - they shall have established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks (paragraph 2, c));

- they shall have established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public (paragraph 2, d));

- they shall have demonstrated that their tasks and duties do not result in a conflict of interests (paragraph 2, e)).

According to paragraph 3 of Article 43, the criteria for the accreditation of the certification bodies must be approved, either by the competent supervisory authority or the European Board in application of Article 63.

In the case where the national accreditation body must issue accreditation pursuant to paragraph 1, b), the requirements listed in paragraph 2 a) to d) of Article 43 supplement those set out in Regulation (EC) No. 765/2008 and the technical rules describing the methods and procedures of the certification bodies.

The criteria and requirements for accreditation will be published by the supervisory authority in an easily accessible form and be forwarded to the European Data Protection Board. The European Data Protection Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means (paragraph 6).

Once accredited, the certification body shall be responsible for conducting proper evaluation in view of certification or revocation of certification. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements (paragraph 4). The certification body shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification (paragraph 5).

Both the supervisory authority and the national accreditation body shall revoke an accreditation of a certification body where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation (paragraph 7).

The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms (paragraph 8).

The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognize those certification mechanisms, seals and marks (paragraph 9). Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 (2).

 Is there missing wording here?

The Directive

Neither the Directive nor national laws provided for a certification mechanism.

Potential issues

It will not be easy to find organizations that meet the conditions for accreditation. There is a concern also that some – which would have the competence – will be discouraged or prevented by certain conditions. The case of conflict of interest is quite illustrative: having to prove a priori, during the accreditation, that no conflicts of interest will be present thereafter in case of application for certification could exclude organizations from the business world (lawyers, consultants, etc.). It would be better to force them to waive any application with a potential to present a conflict of interest and clarify what is meant here to protect against.

Also, there are difficulties that are a matter of concern. For example, when the body must communicate to the competent supervisory authority the reasons for issuance or withdrawal. Isn’t there a risk that controllers will not to apply for certification knowing that if withdrawn, they are then at risk of having their file considered by the supervising authority?

Group 29

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation (4 June 2019)

Before the adoption of the GDPR, the Article 29 Working Party established that certification could play an important role in the accountability framework for data protection. In order for certification to provide reliable evidence of data protection compliance, clear rules setting forth requirements for the provision of certification should be in place. Article 42 of the GDPR provides the legal basis for the development of such rules.

Certification mechanisms can improve transparency for data subjects, but also in business-to-business relations, for example between controllers and processors. Recital 100 of the GDPR states that the establishment of certification mechanisms can enhance transparency and compliance with the Regulation and allow data subjects to assess the level of data protection of relevant products and services.

The GDPR does not introduce a right to or an obligation of certification for controllers and processors; as per Article 42(3), certification is a voluntary process to assist in demonstrating compliance with the GDPR. Member States and supervisory authorities are called to encourage the establishment of certification mechanisms and will determine the stakeholder engagement in the certification process and lifecycle.

The primary aim of these guidelines is to identify overarching requirements and criteria that may be relevant to all types of certification mechanisms issued in accordance with Articles 42 and 43 of the GDPR. To this end, the guidelines:

  • explore the rationale for certification as an accountability tool
  • explain the key concepts of the certification provisions in Articles 42 and 43
  • and explain the scope of what can be certified under Articles 42 and 43 and the purpose of certification
  • facilitate that the outcome of certification is meaningful, unambiguous, as reproducible as possible and comparable regardless of the certifier (comparability)

Link

Regulation
1e 2e

Art. 43

1.   Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:

a) the supervisory authority which is competent pursuant to Article 55 or 56;

b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (20) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.

2.   Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:

a) demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;

b) undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;

c) established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;

d) established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

e) demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests.

3.   The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of criteria approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.

4.   The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.

5.   The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.

6.   The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board. The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means.

7.   Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.

8.   The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).

9.   The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

1st proposal close

No specific provision

2nd proposal close

Art. 39a

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the certification shall be issued and renewed by a certification body which has an appropriate level of expertise in relation to data protection. Each Member State shall provide whether these certification bodies are accredited by:

(a) the supervisory authority which is competent according to Article 51 or 51a; and/or

(b) the National Accreditation Body named in accordance with Regulation (EC) 765/2008 of the European parliament and the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products in compliance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent according to Article 51 or 51a.

2. The certification body referred to in paragraph 1 may be accredited for this purpose only if:

(a) it has demonstrated its independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;

(aa) it has und ertaken to respect the criteria referred to in paragraph 2a of Article 39 and approved by the supervisory authority which is competent according to Article 51 or 51a or , pursuant to Article 57, the European Data Protection Board;

(b) it has established procedures for the issue, periodic review and withdrawal of data protection seals and marks;

(c) it has established procedures and structures to deal with complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make these procedures and structures transparent to data subjects and the public;

(d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

3. The accreditation of the certification bodies referred to in paragraph 1 shall take place on the basis of criteria approved by the supervisory authority which is competent according to Article 51 or 51a or,pursuant to Article 57, the European Data Protection Board. In case of an accreditation pursuant to point (b) of paragraph 1, these requirements complement those envisaged in Regulation 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.

4. The certification body referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation is issued for a maximum period of five years and can be renewed in the same conditions as long as the body meets the requirements.

5. The certification body referred to in paragraph 1 shall provide the competent supervisory authority with the reasons for granting or withdrawing the requested certification.

6. The requirements referred to in paragraph 3 and the criteria referred to in paragraph 2a of Article 39 shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit these to the European Data Protection Board. The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.

6a. Without prejudice to the provisions of Chapter VIII, the competent supervisory authority or the National Accreditation Body shall revoke the accreditation it granted to a certification body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation.

7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86, for the purpose of (...) specifying the criteria and requirements to be taken into account for the data protection certification mechanisms referred to in paragraph 1 (...).

7a. The European Data Protection Board shall give an opinion to the Commission on the criteria and requirements referred to in paragraph 7.

8. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

Directive close

No specific provision

France close

Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés

Art. 11

I. - La Commission nationale de l'informatique et des libertés est une autorité administrative indépendante. Elle est l'autorité de contrôle nationale au sens et pour l'application du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 précité. Elle exerce les missions suivantes :

(...)

f bis) Elle peut décider de certifier des personnes, des produits, des systèmes de données ou des procédures aux fins de reconnaître qu'ils se conforment au règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 précité et à la présente loi. Elle prend en considération, à cette fin, les besoins spécifiques des collectivités territoriales, de leurs groupements et des micro-entreprises, petites entreprises et moyennes entreprises. Elle agrée, aux mêmes fins, des organismes certificateurs, sur la base, le cas échéant, de leur accréditation par l'organisme national d'accréditation mentionné au b du 1 de l'article 43 du même règlement ou décide, conjointement avec cet organisme, que ce dernier procède à leur agrément, dans des conditions précisées par décret en Conseil d'Etat pris après avis de la Commission nationale de l'informatique et des libertés. La commission élabore ou approuve les critères des référentiels de certification et d'agrément ;

g) Elle peut certifier ou homologuer et publier des référentiels ou des méthodologies générales aux fins de certification, par des tiers agréés ou accrédités selon les modalités mentionnées au f bis du présent 2°, de la conformité à la présente loi de processus d'anonymisation des données à caractère personnel, notamment en vue de la réutilisation d'informations publiques mises en ligne dans les conditions prévues au titre II du livre III du code des relations entre le public et l'administration.

Décret d'application. 

Art. 6-8 

Décret pris pour application de la loi n°78-17 du 6 janvier 1978.

I. - Lorsque qu'elle envisage d'élaborer ou d'approuver les critères des référentiels de certification et d'agrément mentionnés au f bis du 2° du I de l'article 11 de la loi du 6 janvier 1978 susvisée, la Commission nationale de l'informatique et des libertés se prononce, en fonction notamment du domaine d'activité et de l'objet du référentiel de certification, sur les modalités de certification et d'agrément retenues parmi celles définies au présent article.

La commission peut décider de délivrer elle-même les certifications ou d'en laisser le soin à des organismes tiers.

Lorsque la certification est délivrée par des organismes tiers, la commission détermine, en fonction du domaine d'activité et de l'objet du référentiel de certification, si elle agrée directement ces organismes certificateurs ou si cet agrément peut être délivré par l'organisme national d'accréditation mentionné au b du 1 de l'article 43 du règlement (UE) 2016/679 du 27 avril 2016 précité. Dans ce dernier cas, la commission saisit l'organisme national d'accréditation qui réalise une étude de faisabilité de l'agrément des organismes certificateurs potentiellement concernés. Une convention fixe les modalités de coopération entre la commission et l'organisme national d'accréditation.

II. - Le contenu du dossier des demandes de certification et d'agrément présentées à la commission dans le cadre du I est fixé par la délibération arrêtant les critères de certification ou d'agrément.

La commission se prononce dans un délai de quatre mois à compter de la réception d'une demande complète. Ce délai peut être prolongé de deux mois supplémentaires sur décision de son président. Lorsque la commission ne s'est pas prononcée dans ces délais, la demande est réputée rejetée.

Si la commission saisit, en application du 3 de l'article 43 du règlement (UE) 2016/679 du 27 avril 2016 précité, le comité européen de la protection des données mentionné à l'article 68 du même règlement, les délais prévus au deuxième alinéa sont suspendus jusqu'à notification de son avis ou, le cas échéant, de sa décision conformément au 6 de l'article 65 du règlement précité. La commission informe le demandeur de cette saisine et des suites de celle-ci.

Le contenu des dossiers de demandes présentées à l'organisme national d'accréditation dans le cadre du I, et les conditions de leur traitement, intégrant les exigences supplémentaires fixées, le cas échéant, par la commission, sont définies par le règlement d'accréditation de l'organisme national d'accréditation. Cette accréditation tient lieu d'agrément.

III. - Les certifications sont délivrées pour une durée précisée par chaque référentiel de certification et qui ne saurait être supérieure à trois ans.

Les organismes de certification sont agréés pour une durée de cinq ans maximum renouvelable dans des conditions fixées par le règlement intérieur de la commission ou, selon le cas, par le règlement d'accréditation de l'organisme national d'accréditation.

close