What GDPR Tells on Certification

Abstract

The EU lawmaker has introduced several certification models in the GDPR. A first model entitles accredited private certification bodies to design and manage certification schemes under the close monitoring of the supervisory authorities. Another model gives to the supervisory authorities the opportunity to design and manage their own schemes. But the EU lawmaker has also left the door open to the establishment of schemes at the margin of the data protection framework. Nothing in the GDPR prohibits to create certification schemes outside Articles 42/43 regime. The diversity of arrangements shows that certification is a flexible system capable to adapt to many different situations and environments. This is also a free market that proves to be difficult, if not impossible, to entirely monitor. These basic features challenge the original attempt of the EU lawmaker to monitor the design and management of certification schemes in the GDPR. Moreover, the GDPR also says that the definition of certification suggested by the European Data Protection Board (EDPB) does not fully map this notion as designed in the GDPR. The data protection regulation offers a much more accurate picture of certification than the one proposed by the EDPB. The GDPR shows that the nature of certification is basically contextual. It depends on the arrangement of the scheme and the purposes for which this instrument is used. The analysis of the monitoring process of the code of conduct set in Article 41 GDPR helps to define certification. It shows this is neither the attestation of conformity nor the conformity assessment that best defines certification. The very nature of certification lies in its nature of ex ante enforcement instrument.