Rina Steenkamp - Privacy and technology
Chapter IV Controller and processor
Section 5 Codes of conduct and certification
1. (deleted)
1a. Any controller or processor may request any supervisory authority in the Union, for a reasonable fee taking into account the administrative costs, to certify that the processing of personal data is performed in compliance with this Regulation, in particular with the principles set out in Article 5, 23 and 30, the obligations of the controller and the processor, and the data subject’s rights.
1b. The certification shall be voluntary, affordable, and available via a process that is transparent and not unduly burdensome.
1c. The supervisory authorities and the European Data Protection Board shall cooperate under the consistency mechanism pursuant to Article 57 to guarantee a harmonised data protection certification mechanism including harmonised fees within the Union.
1d. During the certification procedure, the supervisory authority may accredit specialised third party auditors to carry out the auditing of the controller or the processor on their behalf. Third party auditors shall have sufficiently qualified staff, be impartial and free from any conflict of interests regarding their duties. Supervisory authorities shall revoke accreditation, if there are reasons to believe that the auditor does not fulfil its duties correctly. The final certification shall be provided by the supervisory authority.
1e. Supervisory authorities shall grant controllers and processors, who pursuant to the auditing have been certified that they process personal data in compliance with this Regulation, the standardised data protection mark named "European Data Protection Seal".
1f. The "European Data Protection Seal" shall be valid for as long as the data processing operations of the certified controller or processor continue to fully comply with this Regulation.
1g. Notwithstanding paragraph 1f, the certification shall be valid for maximum five years.
1h. The European Data Protection Board shall establish a public electronic register in which all valid and invalid certificates which have been issued in the Member States can be viewed by the public.
2. (deleted)
2a. The European Data Protection Board may on its own initiative certify that a data protection-enhancing technical standard is compliant with this Regulation.
3. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board and consulting with stakeholders, in particular industry and non-governmental organisations, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1-1h, including requirements for accreditation of auditors, conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. These delegated acts shall confer enforceable rights on data subjects.
[Source: October 2013]
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and standardised marks should be encouraged, allowing data subjects to quickly, reliably and verifiably assess the level of data protection of relevant products and services. A "European Data Protection Seal" should be established on the European level to create trust among data subjects, legal certainty for controllers, and at the same time export European data protection standards by allowing non-European companies to more easily enter European markets by being certified.
[Source: October 2013 | Notes: Recitals | Context: Recitals]
Article 39 introduces the possibility to establish certification mechanisms and data protection seals and marks.
[Source: January 2012 | Context: Proposal from the European Commission]
1. The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.
3. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
[Source: January 2012 | Context: Proposal from the European Commission]
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.
[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]