Privacy & Information Security Law Blog

On June 22, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on certifications under Article 42 of the General Data Protection Regulation (“GDPR”). The GDPR will become effective on May 25, 2018.

This paper is part of a series of papers that the Bavarian DPA will be issuing periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasizes that these papers are non-binding.

The GDPR allows DPAs to issue data protection certifications to companies. According to the Bavarian DPA, such certifications would allow companies to demonstrate that their data processing activities comply with the requirements of the GDPR; however, certified companies must still comply with the law and can be subject to supervision by DPAs. Nevertheless, the Bavarian DPA states that certification can still be beneficial for companies in the event of a DPA investigation. According to the DPA, it is important that companies applying for certification have a thorough knowledge of their data processing activities and have documented them in a transparent manner. Furthermore, the DPA stated that companies that already have data processing inventories and good data protection management will be able to fulfill the essential requirements for certification.

The DPA emphasized the requirements of the GDPR that a certification should be issued for a maximum period of three years and that certifications can be withdrawn if companies no longer meet the requirements for such certification.

The Bavarian DPA believes that certification under the GDPR has great potential and can provide clarity as to whether data processing operations comply with legal requirements under data protection law. In particular, the DPA thinks that certification could be beneficial for cloud-providers as it would allow customers and individuals to get a better understanding of the level of compliance in relation to specific products. However, this requires that new practical certification processes be developed and existing certification processes be updated accordingly.