The GDPR recognizes four main instruments for ensuring appropriate safeguards: Certification, Code of Conduct (CC), Binding Corporate Rules (BCR), and Standard Contractual Clauses (SCC). Let’s compare their characteristics and limits:
✅ Data protection by design and by default: Certification is the only instrument recognized by Art. 25 GDPR to demonstrate compliance with this requirement.
✅ Adequacy of Data Controllers: Art. 24 GDPR only mentions Certification and CC as instruments to evidence compliance.
✅ Adequacy of Data Processors: Art. 28 GDPR requires controllers to ensure processors provide sufficient safeguards, for which it recognizes Certification and CC.
✅ Adequacy of security measures: Art. 32 GDPR highlights Certification and CC as means to ensure compliance with security requirements.
✅ Impact on administrative fines: Art. 83 GDPR mentions that in case of fine determination for non-compliance, due regard will be given to Certification and CC.
✅ Availability: Certification and SCC are available as are. CCs and BCRs may require years of effort to be approved. BCRs are limited to entities within the same company group.
✅ Universality: SCCs and Certification (i.e. Europrivacy) can be industry-agnostic and usable by all controllers and processors. BCRs are company-specific, and CCs industry-specific.
✅ Time and effort: SCC is simple but must be repeated with each partner. Adoption of a BCR or a CC is highly time consuming. Certification requires 1 to 2 months for the certification body and can save due diligence time and effort (Art. 28 GDPR).
✅ Flexibility and Adaptability: BCRs and CC focus on company-level compliance, while Certification and SCCs allow prioritizing critical data processing activities.
✅ Reliability: Trustability increases from SCCs (where no audit is performed), to BCR, CC, and Certification (with regular independent third-party audits).
✅ Value Creation: Certification turns compliance into an intangible asset (the certificate) and a source of value creation: competitive advantage for sales, financial valuation, etc.
⬇️ The tables below summarize the characteristics of the 4 GDPR instruments. Each one offers different benefits and level of reliability. While SCC is easy to implement, Certification results in being the most reliable instrument with many advantages. It requires some initial investment but can generate revenues and save costs. It can also be used to simplify, homogenize, document, and delegate compliance management with officially recognized criteria. It’s not surprising that Certification is mentioned 73 times in GDPR, against 36 for CC, 25 for BCR, and 7 for SCC.
🔒 We hope this analysis will help you select the best instrument(s) to address your needs.
✍ Read the full analysis: https://www.europrivacy.org/en/ep/comparing-gdpr
