The controllers and the processors may adhere to a code of conduct prepared by a business association which has been approved by a data protection authority to demonstrate compliance with the GDPR. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons. A Codes of conduct may be given EU-wide validity through an implementing act of the Commission.
The controller and the processor may adhere to a certification mechanism operated by one of the certification bodies that have received accreditation from a DPA or a national accreditation body or both, as decided in each Member State law.
Both codes of conduct and certification are optional instruments and therefore it is up to the controller and the processor to decide whether to adhere to a given code of conduct or to request certification.
Important! The fact that the controller and the processor possesses a certification does not reduce its duties and responsibilities to comply with all the requirements of the regulation.