Article 42 of GDPR: Certification
Article 42 of GDPR is intended to encourage the European Union member countries, the supervisory authorities, the European Union Data Protection Board and Commission to encourage certification mechanisms so companies can demonstrate their compliance with the GDPR obligations.
Certification to demonstrate compliance (Article 42(1) GDPR)
Taking into consideration the specific needs of micro, small and medium-sized organizations, the GDPR regulation encourages the European Union member countries, the supervisory authorities, the European Union Data Protection Board and Commission to implement certification mechanisms so companies can demonstrate their compliance with GDPR.
Certification of companies not subject to GDPR (Artice 42(2) GDPR)
GDPR allows that certification mechanisms be offered to foreign organizations who are not subject to the GDPR regulation pursuant to Article 3 of GDPR to demonstrate that they have implemented appropriate safeguards and measures to protect personal data.
The certification process will result in the foreign company to make binding and enforceable commitments to apply appropriate safeguards as required by the certification regime and have regard to the data subject rights.
Certification is voluntary (Article 42(3) GDPR)
The certification process is a voluntary process and should be made available in a transparent way.
Compliance with GDPR (Article 42(4) GDPR)
Whether a company is certified or not, the obligations of data controllers and data processors under GDPR remain unaffected.
In addition, the powers given to the supervisory authorities remain unaffected as well.
Certification issuance (Artice 42(5) GDPR)
The certification mechanism provided under Article 42 of GDPR will be issued by the certification bodies authorized to do so, the competent supervisory authority or the European Union Data Protection Board.
When certification criteria are approved by the board, a common certification can be given, the European Union Protection Seal.
Certification process (Article 42(6) GDPR)
When a company intends to obtain a certification, it must submit to either the certification body or the supervisory authority, as the case may be, with all the relevant information concerning its data processing activities.
To be certified, the certification body will need to have a good understanding of a company’s data processing activities.
Certification period (Article 42(7) GDPR)
When a company is certified, the certification can be given for a period of up to 3 years.
At the end of the 3 years, the certification can be renewed under the same conditions so long as the company continues to meet the certification criteria.
A company’s certification can be withdrawn at any moment when it no longer meets the certification criteria.
Certification registry (Article 42(8) GDPR)
The EU Data Protection Board is tasked with the duty to maintain a public registry of the certifications, seals and marks issued so the information is available publicly.
Recitals applicable to Article 42 of GDPR
Relevant Recitals: 100
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 42 or relevant recitals
GDPR Text: Article 42 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)