Certification
Member States, supervisory authorities, the Committee and the Commission shall promote, in particular at Union level, the establishment of data protection certification mechanisms and data protection seals and marks attesting that controllers and processors are acting in accordance with this Regulation when carrying out processing operations. The specific needs of small, medium and micro enterprises will also be taken into account.
In addition to compliance by controllers or processors subject to this Regulation, data protection certification mechanisms, data protection seals or marks approved pursuant to paragraph 5 of this Article may also be introduced to demonstrate, in the context of transfers of personal data to third countries or international organizations under the conditions referred to in point (f) of Article 46(2), that the controllers or processors not subject to this Regulation pursuant to Article 3 provide appropriate safeguards. Those controllers or processors shall, through contractual or other legally binding instruments, make binding and enforceable commitments to apply those appropriate safeguards, including as regards data subjects' rights.
Certification is voluntary and accessed through a transparent process.
A certification under this Article shall not affect the responsibility of the controller or processor to comply with this Regulation and shall be without prejudice to the duties and powers of the supervisory authorities competent under Article 55 or 56.
A certificate under this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of the criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Committee pursuant to Article 63. If the criteria have been approved by the Committee, this may lead to a common certificate, the European Data Protection Seal.
The controller or processor submitting its processing to the certification mechanism shall provide the certification body referred to in Article 43, or, where applicable, the competent supervisory authority, with the information necessary for carrying out the certification procedure and shall grant the body or authority access to its processing operations.
The certificate shall be issued to a controller or processor for a maximum period of three years and may be renewed under the same conditions, provided that the relevant criteria can continue to be met. Where applicable, the certificate shall be withdrawn by the certification bodies referred to in Article 43 or by the competent supervisory authority when the criteria for certification are not or are no longer met.
The Committee collects all certification mechanisms and data protection seals and marks in a register and makes them publicly available through appropriate channels.
