Approved certification is an optional tool for formal demonstration of an entity’s compliance with the GDPR (i.e., implementing technical and organizational measures). Certification may also establish the legal basis for controllers outside the EEA who transfer data internationally.

Approval of certification

A certification shall be issued by the certification bodies, the Supervisory Authorities, or by the European Data Protection Board Art. 63 GDPR. If the Board approves the criteria, it may result in a common certification, the European Data Protection Seal.

Applying for a certification requires the controller’s/processor’s submission to the certification body of all information and access to its processing activities necessary to carry out the certification procedure. A certification does not reduce the controller’s/processor’s responsibility for compliance with the GDPR and is without prejudice to the tasks and powers of the competent supervisory authorities.

A certification is valid for a maximum of three years and may be renewed if the relevant requirements continue to be fulfilled. The Board must create and publish a register, comprising all the certification mechanisms, data protection seals and marks.

For more information, see the Guidelines on certification and identifying certification criteria, issued by the European Data Protection Board: https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-12018-certification-and-identifying_en