§ GDPR · Article 43
GDPR Article 43: Obligations, Deadlines & Penalties
At a glance
Article 43 of the GDPR imposes 15 obligations on Board, Commission, Member States and 2 other entity type(s).
§ Obligations
All obligations under Article 43
Obligation 1
Certification bodies must inform the supervisory authority before issuing or renewing certification to allow it to exercise its powers.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 2
Member States must ensure that certification bodies are accredited by the competent supervisory authority or the national accreditation body.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
Member States
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 3
Certification bodies must demonstrate their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
demonstrate
- Deadline
-
—
- Penalty
-
—
Obligation 4
Certification bodies must undertake to respect the criteria referred to in Article 42(5) and approved by the supervisory authority or the Board.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
undertake
- Deadline
-
—
- Penalty
-
—
Obligation 5
Certification bodies must establish procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 6
Certification bodies must establish procedures and structures to handle complaints about infringements of the certification and make those procedures transparent to data subjects and the public.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 7
Certification bodies must demonstrate to the satisfaction of the competent supervisory authority that their tasks and duties do not result in a conflict of interests.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
demonstrate
- Deadline
-
—
- Penalty
-
—
Obligation 8
Certification bodies must be responsible for the proper assessment leading to the certification or the withdrawal of such certification.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 9
Certification bodies must provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
certification body
- Action required
-
provide
- Deadline
-
—
- Penalty
-
—
Obligation 10
The supervisory authority must make the requirements and criteria for accreditation and certification public in an easily accessible form.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
supervisory authority
- Action required
-
publish
- Deadline
-
—
- Penalty
-
—
Obligation 11
The supervisory authorities must transmit the requirements and criteria to the Board.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
supervisory authority
- Action required
-
transmit
- Deadline
-
—
- Penalty
-
—
Obligation 12
The Board must collate all certification mechanisms and data protection seals in a register and make them publicly available.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
Board
- Action required
-
register
- Deadline
-
—
- Penalty
-
—
Obligation 13
The competent supervisory authority or the national accreditation body must revoke an accreditation of a certification body where the conditions for the accreditation are not met or where actions infringe the Regulation.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
supervisory authority
- Action required
-
revoke
- Deadline
-
—
- Penalty
-
—
Obligation 14
The Commission must adopt delegated acts specifying the requirements to be taken into account for the data protection certification mechanisms.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
Commission
- Action required
-
adopt
- Deadline
-
—
- Penalty
-
—
Obligation 15
The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks.
Regulation (EU) 2016/679, Article 43, Article 43
- Obligated entity
-
Commission
- Action required
-
adopt
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 43
Who must comply with Article 43 of the GDPR?
+
Board, Commission, Member States, certification body, supervisory authority.
What does Article 43 of the GDPR require?
+
notify ensure demonstrate