Article 42 GDPR
Certification

1. Member States, supervisory authorities, the European Data Protection Board and the Commission shall encourage - particularly at the Union level - the establishment of certification mechanisms and quality marks and labels for the protection of personal data intended to demonstrate compliance with this Regulation of processing operations carried out by controllers and processors. In doing so, the special needs of micro, small and medium-sized enterprises shall be taken into account.

2. Certification mechanisms, as well as data protection quality seals and marks approved pursuant to paragraph 5 of this Article, which apply to controllers or processors subject to this Regulation, may be established to demonstrate appropriate safeguards by controllers or processors who, in accordance with Article 3 are not subject to this Regulation, in the context of transfers of personal data to third countries or international organizations under the conditions set out in Article 46(2)(f). Such controllers or processors shall enter into binding and enforceable commitments—by contract or through other legally binding instruments—to apply those appropriate safeguards, including with respect to the rights of data subjects.

3. Certification is voluntary, and the process for obtaining it must be transparent.

4. The certification provided for in this Article does not affect the obligation of the controller or processor to comply with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities competent under Article 55 or 56.

5. The certification provided for in this Article shall be carried out by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that authority in accordance with Article 58(3) or by the European Data Protection Board in accordance with Article 63. Where the criteria are approved by the European Data Protection Board, this may result in a joint certification, a European data protection quality seal.

6. A controller or processor that submits its processing activities to a certification mechanism shall provide the certification body referred to in Article 43, or, where applicable, the competent supervisory authority, with all information and access to its processing activities necessary for the certification procedure.

7.

*

Certification of a controller or processor shall be granted for a maximum period of 3 years; certification may be renewed under the same conditions, provided that the relevant criteria continue to be met. Where applicable, the certification bodies referred to in Article 43 or the competent supervisory authority shall withdraw certification if the criteria for certification are not met or are no longer met.

8. The European Data Protection Board collects all certification mechanisms and quality marks and designations in the field of data protection in a registry and makes them available to the public through appropriate means.