Article 42 intends for the certification mechanisms to be established with the purpose to demonstrate compliance with the Regulation on operations of processing by the administrators and the processors of personal data.
The certification is voluntary and is conducted through a process of transparency. Certification itself and the certification procedures following article 42 does not reduce the responsibility of the controller or the processor for compliance with the Regulation and is without prejudice to the task and powers of the supervisory authorities
GDPR does not by itself define the meaning of certification. It is accepted to use the universal definition provided by The International Standards Organization (ISO) “the provision by an independent body of a written assurance that the product, service or system in question meets specific requirements”.
GDPR establishes the context in which the approved mechanism for certification can be used as proof for compliance to the specific obligations of the administrators and the dpos in regard to the:
Appliance and proof of appropriate technical and organizational measures provided in Article 24, paragraph 1,3,25 and Article 32, paragraph 1 and 3;
Sufficient limits as provided in paragraph 1 of Article 42 and Article 28 paragraph 5 (subcontractor of DPO).
Since the certification itself does not proof compliance with the Regulation it represents more a part of the proof provided for assuring compliance thus the certification should be drawn in a transparent way. Demonstrating compliance with the requirements demands supporting documentation, more specifically reports which not only repeat but describe how the criteria for the purpose for the grounds on which the certification has been provided are prepared. That includes the outline of the individual decision for presenting, renewing or revoking the certification. Motives, arguments and evidence which result in the appliance of the criteria should also be presented as well as the conclusions and court decisions.
GDPR does not define mechanisms, seals and marks for certification and uses the terms collectively. The certification is a declaration of compliance. Seals and marks could be used to mark a successful certification procedure. The seal or mark are often in regard to a symbol or logo which when present shows that the object of certification is evaluated in a transparent way and meets the certain criteria such as norms, standards or technical specifications. Certification in accordance with GDPR could only be issued after an independent evaluation of proof by the accredited certification body in which is stated that the certification criteria’s are met.
Certification in GDPR remains voluntary since the Article 42 paragraph 5 intends for certification to be issued by an accredited certification body or by a competent supervisory authority. Instead GDPR allows for a number of different models. For example the supervisory authority could make decisions on one or more of the following:
• issue certification itself, in respect of its own certification scheme;
• issue certification itself, in respect of its own certification scheme, but delegate whole or part of the assessment process to third parties;
• create its own certification scheme, and entrust certification bodies with the certification procedure which issue the certification;
• encourage the market to develop certification mechanisms.
The role of the certification body is to issue, review, renew and revoke certifications on the bases of the mechanism of certification and the approved criteria. That requires the certification body or the holder of the plan for certification so a procedure for monitoring, inspection and review of complains and withdrawal as well to present the goals of the certification criteria’s for accreditation to establish the rules by which certifications seals and marks are issued.
The presence of certification mechanisms and criteria for certification are necessary so that the certification body can achieve accreditation according with Article 43.Tho the purpose of the presence and purpose of the mechanisms significant influence of what derives from the certification body comes from the type and scope of the criteria for certification which influence the process and vise versa. The specific criteria could for example require specific methods for evaluation. Those procedures are mandatory for the accreditation.
The certification body requires from the supervisory authority to provide the supervisory authorities with information, specifically about individual certificates, which is necessary for monitoring the application of the certification mechanism.