Art. 42 of the GDPR states that the member states, the supervisory authorities, the Board and the Commission must encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purposes of demonstrating compliance with regulation of processing of processing operations by controllers and processors. This article specifically mentions the needs of micro, small and medium sized enterprises and asks to take their needs into account.
The certification must be voluntary and available via a process that is transparent. A certificate pursuant to article 42 does not reduce the responsibility of the controller or the processor for compliance with this regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to art. 55 or 56. A certification to be issued by the competent supervisory authority, on the basis of criteria approved by the competent supervisory authority or by the Board and result would be a common certification i.e. the European Data Protection Seal.
The controller or processor which submits its processing to the certification mechanism shall provide the certification body with all information and access to its processing activities which are necessary to conduct the certification procedure.
Article 42 further states that the certification shall be issued to a controller or processor for a maximum period of 3 years and may be renewed under the same conditions however the relevant criteria must continue to be met. Certification must be withdrawn, as applicable, by the certification bodies referred u/art. 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met. The Board shall collate all certification mechanisms and data protection seals and marks in a register and must make them available by any appropriate means.
Certification Bodies:
Art.43 of the GDPR Speaks about the certification bodies which must have an appropriate level of expertise in relation to data protection and also must issue renewed certification. The member states are obliged to ensure that those certification bodies accredited by one or both of the followings-
- The supervisory authority competent to article 55 or 56
- The national accreditation body is named in accordance with Regulation EC No.765/2008 of the European parliament and of the council.
Certification bodies must be accredited in accordance that they have demonstrated their independence and expertise in relation to the subject matter of the certification to the satisfaction of the competent supervisory authority and to know such more criteria please refer to art. 43 (2) of the GDPR.
Picture Credit-https://www.researchgate.net/