There are regularly questions about the status of the “data protection seal of a state-accredited certification body”, which is currently being developed.
The plan is to offer this seal alongside our already well-known and established ePrivacyseal certifications once the state accreditation is completed.
The state accreditation process, which is owned by the German Accreditation Body (DAkkS), is still ongoing. More than four years ago, we had already submitted the first application for accreditation of the conformity assessment program. An end to the process is still not foreseeable. Despite slow moving authorities, we have made significant progress in the meantime.
Milestones achieved on the way to the state-accredited data protection seal:
May 2016 GDPR enters into force
May 2018 End of GDPR transition period
Feb 2019 Application for state-accredited data protection seal
Dec 2020 DAkkS decision: all non-conformities of the programme closed
July 2021 Final evaluation by the competent data protection authority
June 2022 Competent data protection authority confirms DAkkS decision
Aug 2022 Documents for EDPB opinion have been submitted
Sep 2022 Documents for certification body have been submitted
Oct 2022 Feedback from the DAkkS programme committee
Feb 2023 DAkkS confirmation: all requirements fulfilled by certification programme
Feb 2023 On-site inspection of certification body by DAkkS and data protection authority
Currently, the last open requirement is the additional submission of an opinion from the European Data Protection Board (EDPB). The European legislator requires this additional opinion, even though the entire procedure has already been reviewed by the German supervisory authorities.
The preliminary procedure is already underway, but the official procedure has not yet been finalized. In addition, it depends on the final approval of the certification body by the DAkkS. It is expected to happen in autumn/winter 2023.
The further procedure
The aim of the development of a state-accredited data protection seal is to create a seal with high value and extensive use.
The current development of the planned state-accredited data protection seal is as follows:
- The state-accredited data protection seal has limited use and can only be applied to specific data processing, not to SW products, platforms, etc.
- Governmental data protection seals are currently being built for specific sub-areas, not comprehensively (e.g. only for processors, cloud applications, websites, special eHealth applications, etc.)
- The state-accredited data protection seal is not suitable for the great need of generic GDPR audits in the digital industry.
- A purely generic state-accredited data protection seal is not possible, as the authorities require the criteria and audit methods for all relevant processes to be approved in detail in advance.
- limited additional benefits compared to other data protection seals (i.e. only certain liability and documentation facilitations).
- Setting up and operating a certification body for the state-accredited data protection seal requires high administrative effort and costs.
- Seal holders can expect high internal costs for documentation, process detailing, etc.
- Focus on improving data protection for seal holders could be neglected compared to necessary documentation requirements.
We continue to pursue final approval of the privacy seal application and prepare for its limited but reasonable application.
Due to the limitations, complexity, and expected costs of the state-accredited data protection seal recommends interested parties aiming for a state-accredited data protection seal only
- in areas where such a seal is required by law (e.g., digital health applications in Germany (DiGA) from 2024) or
- in industries where there is a high market demand for it and other seal options are not sufficient.
Opportunities for interested parties
In many cases, the advantages of a stately accredited data protection seal are not significant, particularly if the market does not require it. The implementation requirements and economic effort involved will be substantial, as well as the time required and uncertainty as to whether a seal can actually be awarded.
As an excellent alternative to the planned stately accredited data protection seals, there are also well-known and long-established data protection seals without state recognition (such as the ePrivacyseal):
- Focus on data protection implementation
- Superior support for GDPR compliance
- Less complex certification processes lead to lower costs
- Good use case, including global application
- No state accreditation according to art. 42,43 GDPR
- Data protection seal as a preparation to the stately accredited seal, but it can also be used independently.
For many companies there will be better solutions than applying for a state-accredited seal, which is too costly and time-consuming.
It is unlikely that the state-accredited data protection seal will have a high practical use, particularly in the digital industry, due to a misconstruction by the legislator. The seal can only be applied to specific processing operations, but most companies in the digital industry do not have their own processing procedures that can be certified. Therefore, the government seal will only be applicable to a fraction of companies in the digital industry.
We believe that digital and online marketing companies should also have the right to get their products and services certified by a third-party and independent body.
The proven data protection seal ePrivacyseal is currently being used very successfully and is being further developed.
For internationally operating companies, a new data protection seal, the “ePrivacyseal Global”, has been developed. The awarded certifiation confirms the implementation of GDPR requirements and can be used worldwide. Furthermore, it can be used to prepare products/technologies for use in the EU. The ePrivacyseal Global can be used as a preparational process to a state-accredited privacy seal, as well as independently.
At present, we recommend that our customers stick with the well-known and proven data protection seals, such as ePrivacyseal, and wait and see how the state-accredited seals will develop.
Please do not hesitate to contact us if you have any questions – we are also available for a personal meeting.
For more information we will also offer a free webinar in April:
What to expect:
We are pleased to provide detailed information about the planed stately accredited data protection seal: update on the current status, scope of certifications, preparation of applications, review of alternative solutions.
Date & Time:
20th April 2023, 1 pm CEST, duration approx. 30-40 minutes
Data protection officers, Corporate lawyers, marketing professionals and product managers
Prof. Dr. Christoph Bauer, CEO & Founder ePrivacy GmbH