The EU draft General Data Protection Regulation (“the Regulation”) includes the concept of certification and the granting of a European Data Protection Seal as a form of trust mark that a data controller in the EU has met a particular standard of compliance.
In the Recitals to the Regulation it is currently stated that “in order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and standardised marks should be encouraged, allowing data subjects to quickly, reliably and verifiably access the level of data protection of relevant products and services. A ‘European Data Protection Seal’ should be established on the European level to create trust among data subjects, legal certainty for controllers, and at the same time export European data protection standards by allowing non-European companies to more easily enter European markets by being certified.”
As currently drafted article 39 of the Regulation, under the heading of “Certification,” proposes that any data controller or data processer (as defined in the regulation) may request any data protection authority in the EU, subject to a reasonable fee, to certify that processing of personal data is performed in accordance with the Regulation. Certification is intended to be voluntary, affordable, and available via a process that is “transparent and not unduly burdensome.”
It is proposed that data protection authorities (in the Regulation called “supervisory authorities”) together with the European Data Protection Board shall co-operate to guarantee a harmonised data protection certification mechanism including harmonised fees across the EU member states.
Article 39 proposes an accreditation framework whereby data protection authorities will accredit specialised third-party auditors to carry out auditing of controllers and processors.
The European Data Protection Seal is intended to be valid for five years for so long as the recipient continues to live up to the standards for which it has been certified.
The Regulation proposes that the European Data Protection Board will keep a public electronic register of all valid and invalid certificates and may also look at developing and promoting data protection – enhancing technical standards.
The concept of certification and seals is not new and neither are technical standards. Furthermore, whilst there is nothing new around the concept of certification, what will be interesting for particular sectors will be the notion that the European Data Protection Seal can be granted to controllers and processors both within as well as outside of the EU.
Furthermore the fact that the successful certification of a group of companies can satisfy data transfer obligations means that for some sectors the idea of the Seal may be an alternative to other data sharing or data transfer solutions such as Safe Harbor, Model Clauses, and Binding Corporate Rules.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.