Mishcon de Reya page structure
Site header
Main menu
Main content section

UK GDPR

The UK General Data Protection Regulation

Art. 42 GDPR Certification

  1. The Commissioner shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
  2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
  3. The certification shall be voluntary and available via a process that is transparent.
  4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the Commissioner.
  5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the Commissioner, on the basis of criteria approved by the Commissioner pursuant to Article 58(3).
  6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the Commissioner, with all information and access to its processing activities which are necessary to conduct the certification procedure.
  7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the Commissioner where the criteria for the certification are not or are no longer met.
  8. The Commissioner shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

Corresponding Recitals

In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

View Recital