ODO24 Logo
ODO24 Logo
ODO24 Logo

Article 43 GDPR
Certification body

P: 77, 81, 100, 108 | W13, W22

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, a certification body that possesses the necessary level of expertise in the field of data protection shall carry out certification and its renewal after notifying the supervisory authority in order to enable it, where necessary, to exercise its powers under Article 58(2)(h). Member States shall ensure that such certification bodies are accredited by:
(a) the competent supervisory authority in accordance with Article 55 or 56; or
(b) a national accreditation body designated in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council

*

– in accordance with EN-ISO/IEC 17065/2012 – and in accordance with the additional requirements specified by the competent supervisory authority pursuant to Article 55 or 56.
2. The certification bodies referred to in paragraph 1 shall be accredited in accordance with this paragraph in the event that:
(a) have demonstrated to the competent supervisory authority in a satisfactory manner their independence and expertise in the field of certification;
(b) have undertaken to comply with the criteria referred to in Article 42(5) and approved by the supervisory authority competent pursuant to Article 55 or 56 or by the European Data Protection Board pursuant to Article 63;
(c) have procedures for issuing, periodically reviewing and withdrawing certificates, quality marks and data protection markings;
(d) have procedures and structures in place to deal with complaints of breach of the conditions of certification by the controller or processor or the way in which the controller or processor implements or implements the certification and which ensure transparency of those procedures and structures for data subjects and public opinion; and
(e) demonstrate satisfactorily to the competent supervisory authority that their tasks and duties do not result in a conflict of interest.
3.

**

The accreditation of certification bodies referred to in paragraphs 1 and 2 of this Article shall be based on requirements approved by the supervisory authority competent pursuant to Article 55 or 56 or by the European Data Protection Board pursuant to Article 63. In the case of accreditation pursuant to paragraph 1(c) of this Article, those requirements shall supplement the requirements laid down in Regulation (EC) No 765/2008 and the technical rules specifying the methods and procedures of certification bodies.
4. The certification bodies referred to in paragraph 1 shall be responsible for making an appropriate assessment before granting or revoking certification, without prejudice to the controller's or processor's obligation to comply with this Regulation. Accreditation shall be granted for a maximum period of five years; it may be renewed under the same conditions as long as the certifier meets the requirements set forth in this Article.
5. Certification bodies referred to in paragraph 1 shall provide the competent supervisory authority with reasons for granting or revoking the requested certification.
6.

***

The supervisory authority shall make the requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) publicly available in an easily accessible manner. Supervisory authorities shall also communicate those requirements and criteria to the European Data Protection Board.
7. Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke the accreditation of a certification body in accordance with paragraph 1 of this Article if the body does not or no longer meets the conditions for accreditation, or if the actions taken by the certification body violate this Regulation.
8. The Commission is empowered to adopt delegated acts in accordance with Article 92 to specify the requirements to be taken into account in relation to the data protection certification mechanisms referred to in Article 42(1).
9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and quality seals and marks in the field of data protection, as well as the methods for promoting and recognizing such certification mechanisms and quality seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

*Regulation (EC) No 765__UPTH_2__ of the European Parliament and of the Council of 9 July 2008 laying down requirements for accreditation and market surveillance relating to the conditions for placing products on the market and repealing Regulation (EEC) No 339__UPTH_1__ (OJ L 218, 13.8.2008, p. 30).

**Article 43 (3) as amended by correction of 23 May 2018 (EU Decree L, 2018, No 127, paragraph 2) which shall enter into force on 23 May 2018.

***Article 43 (6) as amended by correction of 23 May 2018 (EU Decree L, 2018, No 127, paragraph 2) which shall enter into force on 23 May 2018.

Article 42Article 44
Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Article 43 RODO – Certification body | ODO 24