Overview
Executive summary
- Certification is part of Chapter IV of the GDPR on Controller and processor obligations and responsibilities. Articles 42 and 43 provide the aims, safeguards, and roles of actors together with overarching principles for the certification and accreditation processes.
- Subject to certification are one or more processing operations by controllers or processors.
- Although the object of certification is explicitly determined in the GDPR, the subject matter may vary. Art. 42 and 43 do not limit the subject matter to one specific topic, potentially thus covering a legal obligation such as data security or even the full spectrum of controller and processor’s GDPR obligations.
- Despite the novelty of the GDPR data protection mechanisms, valuable lessons can be learned from the analysis of the existing certifications. Existing certifications already have mechanisms in place: assessment methodologies, contractual arrangements, and auditors that can and should be used in the establishment of the GDPR data protection mechanisms.
