Certification under Article 42 GDPR
Accredited data protection certificates
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Article 42 GDPR allows accredited bodies to issue certificates for GDPR-compliant processing operations. These are voluntary, but serve as evidence under Article 24(3) and Article 28(5).
What is Certification under Article 42 GDPR?
Recognised certification schemes in DACH 2026:
- European Data Protection Seal (EDPS) — EU-wide
- EuroPriSe — DE/AT
- TÜV Süd data protection certificate
- BfDI accreditation (in preparation 2026)
Practical example
SaaS provider X promotes itself as 'GDPR-certified'. The EDPS certificate confirms: ROPA obligation fulfilled, DPA conformity, data subject rights workflow functional.
Frequently asked questions
Is certification mandatory?
No, voluntary. However, it is an indicator of compliance and a marketing advantage.
What does it cost?
EDPS: EUR 15-50k. TÜV: EUR 8-30k. EuroPriSe: EUR 12-40k.
Validity?
Typically 3 years, with an annual surveillance audit.