The Regulation provides for the possibility for Data Controllers and Data Processors to use certification, i.e. services designed to provide reliable evidence of compliance in terms of data protection (definition, implementation and review of appropriate measures).
Regarding the Processor, the text provides that the guarantees that the Processor must provide to be appointed as such “may be demonstrated by adherence to codes of conduct or certification mechanism pursuant”.
The legislation does not require the Controllers certification duties but gives them the right to use such warranty.
The Regulation also provides for the possibility for the Supervisory Authority to accredit external auditors with specialized skills.
Following certification, the Controller and the Processor will be given a standardized seal of Data Protection (“European Data Protection Seal”).
The certification will become a valid tool only if the rules that the Supervisory Authority will establish, will be clear, precise, detailed and will also define how to achieve the requirements of certification.
Tool of certification, however, could be suitable to simplify the responsibilities of Controllers about the selection of reliable partners.
Therefore it is necessary that, in respect of the experience of certification in other areas, the procedures for implementing the same services are regulated in more precise and thorough manner.