The European Data Protection Board (EDPB) under Art. 70 of the Regulation 2016/679 shall ensure the consistent application of this legal act.
On 4 June 2019, Annex 2 to the Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 was adopted.
On the same date, Annex 1 to the Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) was adopted.
Currently, works on translation of the final versions into Polish are carried on.
In 2018 and 2019 the EDBP and the Office held consultations of the above documents.
Until 1 February 2019, public consultations of Annex 1 to the Guidelines, containing additional accreditation requirements were held (https://edpb.europa.eu/our-work-tools/public-consultations/2018/edpb-guidelines-42018-accreditation-certification-bodies_en).
Until 29 March 2019, Annex 2 to the Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 was open to public consultation (https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines-12018-certification-and-identifying_en).
This approach is aimed at ensuring consistency within the entire European Union and transparency of activities undertaken by national personal data protection authorities within the framework of certification undertakings. The criteria established by the data protection authorities will allow to handle requests for accreditation and certification submitted at national level. Currently, the President of the Personal Data Protection Office does not carry out any activities related to the certification mechanism.
In connection with the above it is not possible to obtain from the President of the Personal Data Protection Office or from another entity a certificate of compliance of the activity with the GDPR nor to indicate the approved certification bodies.
In connection with the above:
- No company has applied for a certificate or received it from the Personal Data Protection Office until now. The cost of obtaining a certificate is not set either.
- No list of documents required for the controller to obtain a certificate or for another entity to become entitled to issuing certificates has been drafted.
- The President of the Personal Data Protection Office does not carry out any activities to establish accreditation or certification criteria, referred to in Articles 13 and 16 of the Act on Personal Data Protection respectively. Therefore, the date of making the above mentioned criteria available on the BIP (Public Information Bulletin) website of the President of the Personal Data Protection Office is not known.