Controllers and processors may be certified so that they can demonstrate the existence of appropriate safeguards and adherence to data protection legislation. The certificate may be issued by the certification body with an accreditation from the Slovak Data Protection Authority or by the Slovak Data Protection Authority itself (the Article 86(1) of the Data Protection Act). Pursuant to the Article 86(4) of the Data Protection Act, the certificate is an authentic instrument.
Application for certification
The request for a certificate issued by the Slovak Data Protection Authority shall include, for example, the subject matter of the certificate, the purposes of personal data processing, categories of data subjects and personal data, etc. (Article 86(6) of the Data Protection Act). The company shall attach various types of documents, including technical documentation, the result of a personal data protection audit not older than 6 months, etc. (Article 86(7) of the Data Protection Act).
Renewal of certification
If a controller or a processor with a valid certificate fulfils the certification requirements, the Slovak Data Protection Authority shall renew the certificate for another three years, based on the request of the company (Article 86(16) of the Data Protection Act).
Maintenance of certification
Controllers and processors with a valid certificate are subject to various obligations. For example, they must fulfil all the requirements of the data protection legislation and certification criteria, inform the Slovak Data Protection Authority about any type of changes concerning the certificate, enable the Slovak Data Protection Authority to monitor the company’s compliance and archive any relevant documents (Article 86(18) of the Data Protection Act).