Main content section

UK GDPR

The UK General Data Protection Regulation

Please note: this resource is in the process of being updated to reflect changes made by regulations taking effect on 5 February 2026

Art. 43 GDPR Certification bodies

Without prejudice to the tasks and powers of the Commissioner under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the Commissioner in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. In accordance with section 17 of the 2018 Act, those certification bodies may only be accredited by one or both of the following:
1. the Commissioner;
2. the UK national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (1) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the Commissioner.
Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
1. demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the Commissioner;
2. undertaken to respect the criteria referred to in Article 42(5) and approved by the Commissioner;
3. established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;
4. established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
5. demonstrated, to the satisfaction of the Commissioner, that their tasks and duties do not result in a conflict of interests.
The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by the Commissioner. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
The certification bodies referred to in paragraph 1 shall provide the Commissioner with the reasons for granting or withdrawing the requested certification.
The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the Commissioner in an easily accessible form.
Without prejudice to Chapter VIII, the Commissioner or the UK national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
[…]
[…]

Prev. Article

View All

Further Information

This version of the UK GDPR is offered purely as what we hope will be a helpful resource. It does not have the status of law, and should not be relied on as such. Nor do we guarantee it is free from errors. It was originally prepared using a Keeling Schedule made available by the UK Government.

Since then, a consolidated version has also been made available on the legislation.gov.uk pages.

By virtue of section 3 of the European Union (Withdrawal Act) 2018, the GDPR (Regulation (EU) 2016/679) was retained in United Kingdom law as "direct EU legislation". However, the effect of the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020, was, from 1 January 2021, immediately to make changes to the retained GDPR, and to refer to it as the "UK GDPR". These pages reflect those changes.

This resource includes links to the GDPR recitals. The explanatory notes to the European Union (Withdrawal Act) 2018 confirm that where legislation is converted under section 3, it is the text of the legislation itself which will form part of domestic legislation, and this will include the full text of any EU instrument (including its recitals). Accordingly, recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a legal rule. However, it stands to reason that – as the recitals themselves have not been amended – they will in places contain language and references to EU bodies and rules which no longer apply to the UK.

In this resource we link Articles of the UK GDPR to the corresponding recitals. In deciding which recitals correspond to which Articles of UK GDPR, we have drawn on the working document of the EU GDPR which the Information Commissioner had previously published in 2017.