European Data Protection Seal: The new European data protection certificate explained

Jan Tissler

The General Data Protection Regulation (GDPR) is complex and not always easy to understand – both for companies and their clients. With the European Data Protection Seal, a voluntary certificate is now intended to provide more clarity.

In 2018, the EU established a standard legislative framework for data protection across the European Union with the General Data Protection Regulation (GDPR). One point of contention is the complexity of the requirements: Many organisations find it difficult to assess whether they are meeting all of the requirements or still need to resolve certain issues. Moreover, it isn't always easy for clients to see whether a company is working in compliance with the GDPR. This is particularly relevant in the B2B sector where companies are required to ensure that service providers also follow the data privacy regulations.

The "European Data Protection Seal“, an independent seal of quality, is intended to remedy both aspects.

Background and purpose of the European Data Protection Seal

The seal is a voluntary accreditation that certifies the legally compliant implementation of the GDPR following an independent audit. As such, it is intended to create transparency for clients and a competitive advantage for companies. The seal is awarded by specially accredited certification bodies that work in accordance with the criteria of the European Data Protection Board, the EU’s data protection authority.

Criteria and awarding procedure

In order for companies to receive the European Data Protection Seal, they must fulfil extensive and strict testing criteria. During the procedure, the certifying body examines all internal processes and measures related to the processing of personal data.

The checklist items include the data protection impact assessment, data protection-friendly default settings, or security measures such as encryption and access control. The bodies also evaluate the extent to which data subjects' rights are correctly taken into account, and review contracts with processors. The company must fully comply with all criteria.

The European Data Protection Seal is available for two different use cases:

  1. for data processors who process personal data on behalf of others
  2. for data controllers who directly define the purposes and means of data processing.

Prospects of European Data Protection Seal

The question remains as to whether the effort required to obtain the seal is actually worth it.

On the plus side, this independently awarded certificate can help foster transparency and trust in the relationship between clients and companies. Consumers and business clients can then rest assured that a given provider's products and services follow a high data protection standard.

For companies, certification offers the opportunity to test and optimise their data protection management and processes. In addition, independent confirmation of GDPR compliance can strengthen a company's reputation and secure competitive advantages.

Compared to purely national seals, the European Data Protection Seal is consistently recognised throughout the EU.

Criticism and challenges

Critically, certification alone does not guarantee continuous compliance. After all, certification evaluates a company's processes at a certain point in time. Following that, the organisation must continue to correctly implement the processes and respond to changes.

Furthermore, the seal, which is relatively unknown today, may be difficult for consumers to grasp. It will play an important role, especially in cases when responsible data processing is an essential decision criterion for or against a company.

Relevance for Switzerland

The European Data Protection Seal can also be interesting for companies in Switzerland. On the one hand, Swiss companies that process EU citizens' personal data are directly obliged to comply with the GDPR. In this case, certification can help to demonstrate compliance.

On the other hand, the revised Swiss Data Protection Act is also strongly oriented towards the GDPR. In most cases, therefore, companies that meet the criteria for the European Data Protection Seal will also amply satisfy the requirements of Swiss data protection law.

Closing words

Only time will tell whether the European Data Protection Seal can ultimately prevail over purely national solutions. The potential of an independent audit and certification is essentially positive. Companies, however, are bound to critically weigh up whether the effort and costs are worthwhile.