Article 43 GDPR (Certification Bodies)

Article 43 of GDPR: Certification Bodies

Article 43 of GDPR deals with the accreditation of certification bodies who wish to be authorized to issue and renew GDPR certification to organizations.

Certification body accreditation (Article 43(1) GDPR)

A body wishing to become an accredited certification body authorized to issue and renew certifications must demonstrate an appropriate level of expertise in the realm of data protection.

The body must inform the competent supervisory authority.

Each European Union country must ensure that the certification bodies are accredited by one or both of the following:

  1. Competent supervisory authority (Article 43(1)(a) GDPR)
  2. The national accreditation body named in accordance with Regulation (EC) No 765/2008 (Article 43(1)(b) GDPR)

Certification body accreditation criteria (Article 43(2) GDPR)

To be accredited as a certification body, the following criteria must be met:

  1. The body must be independent and have expertise in the area of data protection (Article 43(2)(a) GDPR)
  2. Must respect the approved certification criteria (Article 43(2)(b) GDPR)
  3. Have procedures to issue certifications, review certifications or withdraw certifications (Article 43(2)(c) GDPR)
  4. Have the ability to handle complaints about certification infringement and make the procedure transparent to data subjects (Article 43(2)(d) GDPR)
  5. Must not be in any conflict of interest (Article 43(2)(e) GDPR)

Certification criteria approval (Article 43(3) GDPR)

The accreditation of certification bodies will be based on the criteria as approved by the supervisory authority or by the EU Data Protection Board, as the case may be.

For the accreditation of a national accreditation body, the accreditation criteria will complement those pursuant to Regulation (EC) No 765/2008.

Role of the certification body (Article 43(4) GDPR)

The certification body will be accountable to assess an organization’s certification or removal of certification.

Whether a company is certified or not, their duties and obligations under GDPR remain unaffected.

Certification can be granted for up to a period of 5 years and can be renewed on the same conditions if the certification criteria remain satisfied.

Certification body reporting obligation (Article 43(5) GDPR)

When a certification body grants or withdraws a certification, it must provide the competent supervisory authority with justification as to its decision.

Certification requirements made public (Article 43(6) GDPR)

The certification body approvals and criteria must be made public by the supervisory authority.

In addition, the supervisory authority must transmit the certification requirements and criteria to the EU Data Protection Board who is tasked to create a public registry to make them available to the public.

Accreditation revocation (Article 43(7) GDPR)

At any time the accreditation criteria of a certification body are not met or when the certification body infringes GDPR, the certification body’s accreditation will be revoked by the supervisory authority.

Delegated acts of the Commission (Article 43(8) GDPR)

The Commission has the ability to adopt delegated acts to specify what should be taken into consideration for the data protection certification mechanism.

Implementing acts of the Commission (Article 43(9) GDPR)

The Commission can adopt implementing acts to:

  1. Outline the technical standards for the certification mechanism 
  2. Mechanisms to promote and recognize the certifications

Recitals applicable to Article 43 of GDPR

Relevant Recitals: None

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 43 or relevant recitals

Regulation (EC) No 765/2008

GDPR Text: Article 43 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)