Certifications and Codes of Conduct


    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019

  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.

    Spanish Data Protection Agency (AEPD) enables a DPO certification scheme under Spanish domestic law. The AEPD website includes a list of certification bodies accredited or in process of accreditation to issue certificates of Data Protection Officers – this certification had been in place even prior to the GDPR effective date. Although this certification is not mandatory to be able to practice as a DPO and the profession can be exercised without being certified under this or any other scheme, the Agency has considered it necessary to offer a point of reference to the market on the contents and elements of a certification mechanism that can serve as a guarantee to accredit the qualification and professional capacity of candidates for DPD.

    No official guidance or reference to any specific GDPR certification has been provided by the AEPD yet.

    Related Resources

    Spain Certification Resources

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are strong accountability and compliance indicator towards the regulator, public, and business partners.

    So far, the Spanish Data Protection Agency (AEPD) has not provided any official further guidance on the process of submitting or drafting Codes of Conduct under the GDPR.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.