Beschreibung:
The General Data Protection Regulation (EU) 679/2016 ('GDPR')1 will be, as of 25 May 2018, the main data protection legal framework in the EU directly applicable in all Member States, repealing the Data Protection Directive 95/46/EC. The Regulation provides for a harmonization of the legal data protection regime throughout the EU, re-enforces several principles and obligations of the Directive, it repeals and adds new provisions, including ones on data protection certification, seals and marks. Data protection certifications, seals and marks have the potential to play a significant role in enabling data controllers to achieve and demonstrate compliance of their processing operations with GDPR provisions. An additional function of certification, in the context of the GDPR, is to enhance transparency, since certifications, seals, and marks allow data subjects to "quickly assess the level of data protection of relevant products and services". The objective of this report is to identify and analyse challenges and opportunities of data protection certification mechanisms, including seals and marks, as introduced by the GDPR, focusing also on existing initiatives and voluntary schemes. Certification, as a conformity assessment activity against specified requirements, is performed and attested by a third party. These requirements are derived from technical standards or legislation, as in the case of certification under GDPR, where the secondary EU legislation provides the normative framework as a basis for the assessment requirements. The outcome of a successful certification (process) is a certificate (thus a document), and/or a seal, that attests that the applicant organisation meets the requirements (substantive and procedural) specified in the certification scheme, and provided in technical standards or legislation. In the near future, it is also possible that such requirements, originating from GDPR provisions, are also provided in technical standards. Certification can be mandatory, when a relevant obligation for certification is established in legislation or voluntary when such obligation is not legally imposed, as in the case of GDPR certifications, which rely on the decision of a data controller or a processor to submit oneself to the certification procedure. Certification, under GDPR, is well linked to the newly introduced principle of accountability and appears to be limited to substantive requirements related only to GDPR provisions, must concern specific processing operations and can only be pursued only by data controllers or data processors, as they perform the personal data processing