Certification – Accreditation

Certification: characteristics, use

Establishing data protection certification mechanisms and data protection seals and marks is provided for in Article 42 GDPR for the purpose of demonstrating:

• compliance with the GDPR of processing operations by controllers and processors subject to it (Article 42(1)),
• provision of appropriate safeguards within the framework of personal data transfers to third countries or international organisations (Article 46(2)(f)) by controllers and processors that are not subject to the GDPR (Article 42(2)).

The certification:

• is optional, voluntary and available via a process that is transparent,
• does not reduce the responsibility of the controller or the processor for compliance with the GDPR,
• is without prejudice to the tasks and powers of the competent supervisory authorities.

The Hellenic Data Protection Authority (HDPA) encourages its establishment as it enables the enhancement of transparency by allowing data subjects to quickly assess the level of data protection of relevant products and services (Recital 100 GDPR).

In particular, adherence to an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller (Article 24(3) GDPR) or as an element to demonstrate that the processor provides sufficient assurance in accordance with Article 28(1) and (4) (Article 28(5) GDPR). Adherence to an approved certification mechanism may also be used as an element to demonstrate compliance with the requirements set out in paragraph 1 of Article 32 on the security of processing (Article 32(3) GDPR). It is also taken into consideration when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine (Article 83(2)(j) GDPR).

Issuing and withdrawing certification

Certification shall be issued to a controller or processor based on the certification criteria approved by the competent supervisory authority or the European Data Protection Board (EDPB). Where the criteria are approved by the EDPB, this may result in a common certification, the European Data Protection Seal.

Certification shall be issued by certification bodies that have previously been granted relevant accreditation (for more information see the section on accreditation below).

Certification shall be issued for a maximum period of three years (Article 42(7) GDPR) and may be renewed under the same conditions, provided that the relevant criteria continue to be met.

Certification shall be withdrawn where the criteria for the certification are not or are no longer met.

Accreditation of certification bodies: characteristics, use

Certification bodies may issue and renew certification to controllers and processors only where they have previously a) been accredited to have an appropriate level of expertise in relation to data protection, and b) informed the competent supervisory authority accordingly.

The accreditation of certification bodies is of particular relevance as it is an official confirmation that the bodies in question have been authorised to that effect, making it possible to generate trust in the certification mechanism. Pursuant to Article 43(1) GDPR, Member States shall ensure that certification bodies are accredited by the competent supervisory authority or the national accreditation body or both of these bodies.

Pursuant to Article 37(1) of Law 4624/2019, in  Greece the accreditation of bodies which issue certification under Article 42 of the GDPR shall be carried out by the National Accreditation System (E.SY.D.) in accordance with EN-ISO/IEC17065:2012 and additional requirements established by the HDPA.

Issuing and revoking accreditation

The accreditation of certification bodies shall take place on the basis of requirements approved by the competent supervisory authority pursuant to Article 55 or 56, or by the EDPB pursuant to Article 63 (Article 43(3) GDPR).

Certification shall be issued for a maximum period of three years (Article 42(7) GDPR) and may be renewed under the same conditions, provided that the relevant criteria continue to be met.

Where accreditation is conducted by the national accreditation body, this shall take place on the basis of ΕΝ-ISO/IEC 17065/2012 and the additional requirements for accreditation established by the competent supervisory authority.

Accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in Article 43 (Article 43(4) GDPR). Accreditation is revoked by the competent supervisory authority or the national accreditation body, where the conditions for the accreditation are not, or are no longer, met or where actions taken by the certification body infringe the GDPR.

Pursuant to Article 37(2) of Law 4624/2019, the ESYD shall revoke an accreditation if notified by the Authority that the requirements for accreditation are no longer met or the certification body infringes the GDPR and the provisions of Law 4624/2019.

HDPA’s additional accreditation requirements for certification bodies

The Hellenic Data Protection Authority (HDPA), by Decision 8/2020 (available only in Greek), has decided to set out requirements for the accreditation of certification bodies, in addition to EN ISO/IEC 17065/2012, pursuant to Article 43(1)(b) and (3) GDPR, and Article 37(1) of Law 4624/2019.

The HDPA submitted its draft decision regarding the additional accreditation requirements in question to the European Data Protection Board (EDPB) pursuant to the consistency mechanism referred to in Article 63 GDPR. The EDPB issued, on the basis of Article 64(1) of the GDPR, the Opinion 22/2020 on the HDPA’s draft decision regarding the approval of the accreditation requirements for accreditation of a certification body pursuant to Article 43.3 GDPR.

The HDPA, with its decision 25/2020, decided, in accordance with Article 64 (7) of the GDPR, to amend the additional accreditation requirements based on all the recommendations and encouragements included in the Opinion 22/2020 of the EDPB and communicate these requirements to the EDPB.

The HDPA’s final additional accreditation requirements for accreditation of certification bodies contained in the Appendix of its decision 25/2020, as amended according to opinion 22/2020 of the EDPB, is published on the HDPA’s online portal, pursuant to Articles 43(6) and 57(1p) of the GDPR as well as Article 15(10) of Law 4624/2019^[1].

The additional accreditation requirements shall be implemented by the Hellenic Accreditation System (E.SY.D.) in the accreditation process of certification bodies in conjunction with the standard EN ISO/IEC 17065/2012.

Other information

The EDPB has adopted the following:

• Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679,
• Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) and
• EDPB document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification, the European Data Protection Seal.