§ GDPR · Article 43

GDPR Article 43: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 43 · All obligations · GDPR
At a glance
Article 43 of the GDPR imposes 15 obligations on Board, Commission, Member States and 2 other entity type(s).
§ Obligations

All obligations under Article 43

Obligation 1
Certification bodies must inform the supervisory authority before issuing or renewing certification to allow it to exercise its powers. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
notify
Deadline
Penalty
Obligation 2
Member States must ensure that certification bodies are accredited by the competent supervisory authority or the national accreditation body. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
Member States
Action required
ensure
Deadline
Penalty
Obligation 3
Certification bodies must demonstrate their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
demonstrate
Deadline
Penalty
Obligation 4
Certification bodies must undertake to respect the criteria referred to in Article 42(5) and approved by the supervisory authority or the Board. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
undertake
Deadline
Penalty
Obligation 5
Certification bodies must establish procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
establish
Deadline
Penalty
Obligation 6
Certification bodies must establish procedures and structures to handle complaints about infringements of the certification and make those procedures transparent to data subjects and the public. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
establish
Deadline
Penalty
Obligation 7
Certification bodies must demonstrate to the satisfaction of the competent supervisory authority that their tasks and duties do not result in a conflict of interests. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
demonstrate
Deadline
Penalty
Obligation 8
Certification bodies must be responsible for the proper assessment leading to the certification or the withdrawal of such certification. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
assess
Deadline
Penalty
Obligation 9
Certification bodies must provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
certification body
Action required
provide
Deadline
Penalty
Obligation 10
The supervisory authority must make the requirements and criteria for accreditation and certification public in an easily accessible form. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
supervisory authority
Action required
publish
Deadline
Penalty
Obligation 11
The supervisory authorities must transmit the requirements and criteria to the Board. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
supervisory authority
Action required
transmit
Deadline
Penalty
Obligation 12
The Board must collate all certification mechanisms and data protection seals in a register and make them publicly available. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
Board
Action required
register
Deadline
Penalty
Obligation 13
The competent supervisory authority or the national accreditation body must revoke an accreditation of a certification body where the conditions for the accreditation are not met or where actions infringe the Regulation. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
supervisory authority
Action required
revoke
Deadline
Penalty
Obligation 14
The Commission must adopt delegated acts specifying the requirements to be taken into account for the data protection certification mechanisms. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
Commission
Action required
adopt
Deadline
Penalty
Obligation 15
The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks. Regulation (EU) 2016/679, Article 43, Article 43
Obligated entity
Commission
Action required
adopt
Deadline
Penalty
§ Frequently asked

Questions about Article 43

Who must comply with Article 43 of the GDPR? +
Board, Commission, Member States, certification body, supervisory authority.
What does Article 43 of the GDPR require? +
notify ensure demonstrate
Need a cross-border briefing on GDPR Article 43?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles