The European Data Protection Board (EDPB) has adopted guidelines in relation to the certification mechanism prescribed under the General Data Protection Regulation 2016/679 (GDPR). The EDPB guidelines are aimed at supervisory authorities and certification bodies and provide helpful insight into the requirements and criteria relevant to all types of certification mechanisms issued under articles 42 and 43 of the GDPR.
The EDPB, supervisory authorities and certification bodies are required to encourage certification mechanisms and data protection seals and marks. Although these terms are not defined under the GDPR, it is clear that they intend to mark the approval of GDPR compliance in relation to specific processing operations carried out by a controller or processor. Once certified, the organisation may display a seal or mark to demonstrate its compliance.
The certification mechanism is recognised as an appropriate safeguard. Restricted transfers can therefore be made to an organisation if that organisation has received a certification, providing the organisation makes binding and enforceable commitments to apply the appropriate safeguards. The EDPB plans to issue further guidance on these required commitments.
The EDPB guidelines
The guidelines seek to achieve a harmonised approach to certification across the European Union by offering advice on interpreting the GDPR’s provisions. The EDPB states that the primary aim of the guidelines is to “identify overarching requirements and criteria that may be relevant to all types of certification mechanisms”.
The guidelines cover the role of the supervisory authorities, the role of a certification body and certification criteria.
Certification criteria are an important part of any certification mechanism. The GDPR requires approval of certification criteria by the competent supervisory or the EDPB (both approval routes are discussed in the guidelines). The criteria will set out how an assessment will take place, who will conduct the assessment and the granularity of the assessment.
Certification criteria should be clear and comprehensible and should allow for practical application. They should consider the following:
- the lawfulness of processing
- the principles of data processing
- individuals’ rights
- the obligation to notify the relevant supervisory authority and the affected individuals in the event of a personal data breach
- obligation of data protection by design and by default
- whether a data protection impact assessment has been conducted, if applicable
- the technical and organisational measures that have been put in place.
What can be certified under the GDPR?
The EDPB provides a broad scope of what can be certified under the GDPR, providing that the certification demonstrates that processing operations by controllers and processors comply with the GDPR. When assessing the processing operation, the following three “core components” must be considered:
- the personal data in scope
- the technical systems used to process the personal data
- processes and procedures related to the processing operation.
Certification can apply to general processing operations or be specific to certain operations. To that end, a controller or processor is therefore required to make it clear which specific operations have received the stamp of approval.
The EPDB guidelines reinforce that certification mechanisms can improve transparency for individuals by allowing them to assess the level of data protection in connection with certain products and services. They also improve transparency between businesses (such as between controllers and processors).
Although the guidelines are primarily aimed at supervisory authorities and certification bodies, they provide useful insight for controllers and processors into the components of the certification criteria – particularly if the controller or processor is considering certification as a route to demonstrating compliance for a processing operation.