GDPR Article 42 outlines an organisation’s ability to obtain a level of voluntary certification, related to their data processing operations.
Certification isn’t mandatory, but denotes an organisation’s commitment to improving and promoting their ability to meet various regulatory and legal obligations relating to GDPR.
It’s important to note that certification does not in any way guarantee compliance, or in any way reduce an organisation’s obligation towards the individuals affected by its data processing operation.
Certification
- The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
- In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
- The certification shall be voluntary and available via a process that is transparent.
- A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
- A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
- The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
- Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.
- The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.
Certification
- The Commissioner shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
- In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
- The certification shall be voluntary and available via a process that is transparent.
- A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the Commissioner.
- A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the Commissioner, on the basis of criteria approved by the Commissioner pursuant to Article 58(3).
- The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the Commissioner, with all information and access to its processing activities which are necessary to conduct the certification procedure.
- Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the Commissioner, where the requirements for the certification are not or are no longer met.
- The Commissioner shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.
Certification can be obtained in two ways:
In order for an organisation to obtain certification, they need to be assessed in accordance with various certification criteria, which is approved by an appropriate authority.
All criteria should focus upon the verifiability, significance, and suitability of the organisation’s data processing operation.
Three main elements of an organisation’s data processing should be included in the certification process:
In this section we talk about GDPR Articles 42 (1), 42 (2), 42 (3), 42 (4), 42 (5), 42 (6), 42 (7), 42 (8)
Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.
The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.
Organisations also need to:
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Articles 42 (1) to 42 (8) | ISO 27701 5.2.1 | None |
The ISMS.online platform ensures you can create, communicate, control and collaborate with ease. With ISMS.online your compliance becomes ‘business as usual’ with all your activity creating clear audit trails.
This means you’ll approach every audit with confidence; knowing you’ve removed the risk of error while saving time and reducing cost.
Find out more by booking a short demo.
It helps drive our behaviour in a positive way that works for us
& our culture.
