The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), which comes into effect on 25 May 2018, provides for voluntary certification mechanisms. Article 43(1) of the GDPR requires Member States to ensure that certification bodies issuing certification under Article 42(1) are accredited in due consideration of additional requirements established by the competent supervisory authority. In this context, a Technology Subgroup has been mandated to provide guidelines in relation to accreditation and certification.
This workshop was the occasion for EA to promote the particular value and purpose of accreditation by providing an authoritative statement of the competence of certification bodies.
In parallel, the Tilburg Institute for Law, Technology, and Society (TILT) and TNO are conducting a study for the Directorate-General for Justice and Consumers of the European Commission on the topic of certification mechanisms, seals or marks under Articles 42 and 43 of Regulation (EU) 2016/679.
The study aims to analyse existing certifications, provide recommendations for requirements for data protection certification mechanisms, accreditation criteria, and technical standards in the field of data protection certification. The output from the study will support the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Articles 42 and 43 of the General Data Protection Regulation (EU) 2016/679.