Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Page Overview
Related
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 17th June 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 42 Certification

Member States, supervisory authorities, the Board and the Commission shall encourage at Union level the establishment of data protection certification mechanisms and of data protection seals and marks to demonstrate compliance by controllers and processors with this Regulation, with specific needs of micro, small and medium-sized enterprises to be taken into account. Certification may also be established for controllers or processors not subject to the Regulation to demonstrate appropriate safeguards for personal data transfers to third countries or international organisations under Article 46(2)(f), provided they make binding and enforceable commitments, including in respect of the rights of data subjects.

Certification is voluntary, transparent and does not reduce the responsibility of controllers or processors nor affect the tasks and powers of supervisory authorities under Articles 55 and 56. Certifications are issued by the Article 43 certification bodies or by the competent supervisory authority against criteria approved under Article 58(3) or by the Board under Article 63; Board approval may produce a common European Data Protection Seal. Controllers and processors must supply necessary information and access. Certifications last up to three years, may be renewed, can be withdrawn if criteria are not met, and the Board will register and publish all mechanisms, seals and marks.

PreviousNext
Version status: Applicable | Document consolidation status: Updated to reflect all known changes
Version date: 25 May 2018 - onwards
Version 4 of 4

Article 42 Certification

DRAFT Sub paragraph replaced Article 1 Amendments to Regulation (EU) 2016/679 of the Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2016/1036, (EU) 2016/1037, (EU) 2017/1129, (EU) 2023/1542 and (EU) 2024/573 as regards the extension of certain mitigating measures available for small and medium sized enterprises to small mid-cap enterprises and further simplification measures (COM(2025) 501 final/3 / 2025/0130 (COD)) (updated 3 March 2026 with ***I Report)
View:
Current text Draft text as it may be read Compare current vs draft text Whole document current text vs draft text

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

3. The certification shall be voluntary and available via a process that is transparent.

PreviousNext