European Data Protection Seal: The new European data protection certificate explained

The General Data Protection Regulation (GDPR) is complex and not always easy to understand - both for companies and their customers.

With the European Data Protection Seal, a voluntary certificate is now intended to provide more clarity. With the General Data Protection Regulation (GDPR), the EU created a uniform legal framework for data protection within the Union in 2018. One point of criticism is the complexity of the requirements: For many an organization, it is difficult to assess whether they are actually following all the requirements or where there are still snags. And it is not easy for customers to see whether a company is GDPR-compliant. However, this is highly relevant in the B2B sector in particular, as companies must ensure that service providers also comply with data protection rules.

The European Data Protection Seal as an independent seal of quality is now intended to remedy both aspects.

Background and purpose of the European Data Protection Seal

The seal is a voluntary certification that attests to the legally compliant implementation of the GDPR following an independent audit. In this way, it is intended to create transparency for customers and a competitive advantage for companies. The seal is awarded by specially accredited certification bodies. They work on the basis of Europe-wide standardized criteria of the European Data Protection Board, the EU data protection authority.

Criteria and awarding procedure

In order for companies to receive the European Data Protection Seal, they must fulfil extensive and strict testing criteria. During the procedure, the certifying body examines all internal processes and measures related to the processing of personal data.

The checklist items include the data protection impact assessment, data protection-friendly default settings, or security measures such as encryption and access control. The bodies also evaluate the extent to which data subjects' rights are correctly taken into account, and review contracts with processors. The company must fully comply with all criteria.

The European Data Protection Seal is available for two different use cases:

1. For data processors who process personal data on our behalf
2. And for data controllers who themselves determine the purposes and means of data processing.

Prospects of European Data Protection Seal

The question remains as to whether the effort required to obtain the seal is actually worth it.

On the plus side, this independently awarded certificate can help foster transparency and trust in the relationship between clients and companies. Consumers and business clients can then rest assured that a given provider's products and services follow a high data protection standard.

For companies, certification offers the opportunity to test and optimise their data protection management and processes. In addition, independent confirmation of GDPR compliance can strengthen a company's reputation and secure competitive advantages.

Compared to purely national seals, the European Data Protection Seal is consistently recognised throughout the EU.

Criticism and challenges

Critically, certification alone does not guarantee continuous compliance. After all, certification evaluates a company's processes at a certain point in time. Following that, the organisation must continue to correctly implement the processes and respond to changes.

Furthermore, the seal, which is relatively unknown today, may be difficult for consumers to grasp. It will play an important role, especially in cases when responsible data processing is an essential decision criterion for or against a company.

Relevance for Switzerland

The European Data Protection Seal can also be interesting for companies in Switzerland. On the one hand, Swiss companies that process EU citizens' personal data are directly obliged to comply with the GDPR. In this case, certification can help to demonstrate compliance.

On the other hand, the revised Swiss Data Protection Act is also strongly oriented towards the GDPR. In most cases, therefore, companies that meet the criteria for the European Data Protection Seal will also amply satisfy the requirements of Swiss data protection law.

Closing words

Only time will tell whether the European Data Protection Seal can ultimately prevail over purely national solutions. The potential of an independent audit and certification is essentially positive. Companies, however, are bound to critically weigh up whether the effort and costs are worthwhile.