How to Demonstrate Compliance With GDPR Article 42

Certification

Book a demo

businessman,hands,holding,pen,for,working,in,stacks,of,paper

GDPR Article 42 outlines an organisation’s ability to obtain a level of voluntary certification, related to their data processing operations.

Certification isn’t mandatory, but denotes an organisation’s commitment to improving and promoting their ability to meet various regulatory and legal obligations relating to GDPR.

It’s important to note that certification does not in any way guarantee compliance, or in any way reduce an organisation’s obligation towards the individuals affected by its data processing operation.

GDPR Article 42 Legal Text

EU GDPR Version

Certification

  1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
  2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
  3. The certification shall be voluntary and available via a process that is transparent.
  4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
  5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
  6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
  7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.
  8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

UK GDPR Version

Certification

  1. The Commissioner shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
  2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
  3. The certification shall be voluntary and available via a process that is transparent.
  4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the Commissioner.
  5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the Commissioner, on the basis of criteria approved by the Commissioner pursuant to Article 58(3).
  6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the Commissioner, with all information and access to its processing activities which are necessary to conduct the certification procedure.
  7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the Commissioner, where the requirements for the certification are not or are no longer met.
  8. The Commissioner shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

Certification can be obtained in two ways:

  • A voluntary act that doesn’t reduce compliance obligations.
  • Via a certification body or supervisory authority.

In order for an organisation to obtain certification, they need to be assessed in accordance with various certification criteria, which is approved by an appropriate authority.

All criteria should focus upon the verifiability, significance, and suitability of the organisation’s data processing operation.

Three main elements of an organisation’s data processing should be included in the certification process:

  • The personal data that the organisation processes.
  • Any systems used to process said data.
  • Any procedures related directly to the organisation’s data processing operation.

ISO 27701 Clause 5.2.1 (Understanding the Organization and Its Context) and EU GDPR Article 42

In this section we talk about GDPR Articles 42 (1), 42 (2), 42 (3), 42 (4), 42 (5), 42 (6), 42 (7), 42 (8)

Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.

The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.

Organisations also need to:

  • Review any prevailing privacy laws, regulations or ‘judicial decisions’.
  • Take into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures.
  • Consider administrative factors, including the day-to-day running of the company.
  • Review third-party agreements or service contracts that have the potential to impact upon PII and privacy protection.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 42 (1) to 42 (8)ISO 27701 5.2.1None

How ISMS.online Help

The ISMS.online platform ensures you can create, communicate, control and collaborate with ease. With ISMS.online your compliance becomes ‘business as usual’ with all your activity creating clear audit trails.

This means you’ll approach every audit with confidence; knowing you’ve removed the risk of error while saving time and reducing cost.

Find out more by booking a short demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now