What GDPR Tells about Certification

18 Pages Posted: 14 Apr 2020 Last revised: 4 May 2020

See all articles by Eric Lachaud

Eric Lachaud

Tilburg University - LTMS, home of Tilt and Tilec

Date Written: March 19, 2020


The EU lawmaker has introduced several certification models in the GDPR. A first model entitles accredited private certification bodies to design and manage certification schemes under the close monitoring of the supervisory authorities. Another model gives to the supervisory authorities the opportunity to design and manage their own schemes. But the EU lawmaker has also left the door open to the establishment of schemes at the margin of the data protection framework. Nothing in the GDPR prohibits to create certification schemes outside Articles 42/43 regime. The diversity of arrangements shows that certification is a flexible system capable to adapt to many different situations and environments. This is also a free market that proves to be difficult, if not impossible, to entirely monitor. These basic features challenge the original attempt of the EU lawmaker to monitor the design and management of certification schemes in the GDPR. Moreover, the GDPR also says that the definition of certification suggested by the European Data Protection Board (EDPB) does not fully map this notion as designed in the GDPR. The data protection regulation offers a much more accurate picture of certification than the one proposed by the EDPB. The GDPR shows that the nature of certification is basically contextual. It depends on the arrangement of the scheme and the purposes for which this instrument is used. The analysis of the monitoring process of the code of conduct set in Article 41 GDPR helps to define certification. It shows this is neither the attestation of conformity nor the conformity assessment that best defines certification. The very nature of certification lies in its nature of ex ante enforcement instrument.

Keywords: Certification, GDPR, Article 42, Self-regulation, Co-regulation

Suggested Citation

Lachaud, Eric, What GDPR Tells about Certification (March 19, 2020). Available at SSRN: https://ssrn.com/abstract=3557167 or http://dx.doi.org/10.2139/ssrn.3557167

Eric Lachaud (Contact Author)

Tilburg University - LTMS, home of Tilt and Tilec ( email )


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics