Certifications and Codes of Conduct


    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019

  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.

    DPA website notes that Accreditation body is Raad Voor Accreditatie (RvA).  At present, there are no accredited certification bodies in the Netherlands for issuing AVG certificates in the context of the processing of personal data. As soon as the RvA accredits certification bodies to issue AVG certificates, you will find this information on the website of the Dutch Data Protection Authority and that of the RvA.

    A certification body assesses whether your product, process or service qualifies for an AVG certificate. With this certificate, you can demonstrate that you meet certain requirements according to the rules of the General Data Protection Regulation (AVG).

    At present, there are no accredited certification bodies in the Netherlands for issuing AVG certificates in the context of the processing of personal data. As soon as the RvA accredits certification bodies to issue AVG certificates, you will find this information on our website and that of the RvA .

    Accreditation of Certification Bodies

    For those organizations seeking to become certification bodies, it is necessary to submit an application for accreditation to the Accreditation Council (RvA). The Dutch Data Protection Authority (AP) does not accredit certification bodies.

    Before submitting an application to the RvA , the certification scheme must be drawn up first. You can draw up a schedule yourself as a certification body or you can have this scheme drawn up and managed by an external scheme manager. If the RvA has successfully completed the pre-assessment with an accreditation application or after the scheme manager has approved the scheme, then the AP assesses the certification scheme for satisfactory implementation of the relevant GDPR requirements. If the certification scheme has been approved by the AP, then the accreditation process at the RvA can continue.

    Accreditation Steps

    The accreditation process of the RvA and the role of the AP in the approval of certification schemes consists of the following steps:

    1. Accreditation Council
      – Assesses the admissibility of the accreditation application;
      – Pre-assessment by the RvA including scheme evaluation;
      – Completion of the scheme evaluation / preliminary inspection subject to the approval of the scheme by the AP.
    2. Data Protection Authority (AP)
      – After a positive evaluation of the scheme by the RvA, the AP will assess whether the scheme complies with the GDPR.
      – The relevant certification body or scheme manager submits the scheme to the AP for assessment only after the scheme evaluation by the RvA was positively evaluated, which the applicant must be able to demonstrate.
      – The AP must coordinate its draft decision to approve the certification scheme with the European Data Protection Board (also known as the EDPB). After the AP has approved the certification scheme, the applicant sends this decision to the RvA for approval, they then start the further accreditation procedure.
    3. Accreditation Council
      – The accreditation assessment by the RvA;
      – The accreditation decision by the RvA;
      – After granting accreditation: periodic assessment by the RvA of the certification body.

    Related Resources

    Netherlands Certifications Resources

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are strong accountability and compliance indicator towards the regulator, public, and business partners.

    Associations or other bodies representing a certain group of organizations may ask the Dutch Data Protection Authority (AP) for approval of a new code of conduct. It is also possible to seek modification or extension of an existing code of conduct. The AP would approve the submitted code of conduct provided that it is compliant with the GDPR and offers appropriate guarantees.

    The AP website also contains answers to most frequently asked questions around codes of conduct, their drafting, and minimum content requirements.


    Related Resources

    Netherlands Codes of Conduct Resources

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.