Skip to content

Specific certification schemes as rule, general schemes (and criteria) as exception

Author: Grafenstein, M. v.
Published in:
Year: 2021
Type: Working paper
DOI: 10.5281/zenodo.4905484

This analysis criticizes a major design flaw of the Addendum to the Guidelines 1/2018 on certification and identifying certification criteria per Articles 42 and 43 of the EU General Data Protection Regulation (GDPR) by the European Data Protection Board (EDPB). The possibility for certification owners to set up general certification schemes in addition to specific specification schemes opens up a glaring loophole which will decrease transparency and inhibit a consistent EU-wide application of the law. In its addendum, the EDPB makes a recognizable effort to close the loophole by specifying further requirements for such general schemes. However, these efforts are merely corrective measures: the fundamental design flaw continues to exist. The consequences are serious; not only does this design flaw contradict the two key regulatory objectives of increasing transparency and supporting consistent EU-wide compliance, but will sooner or later marginalise specific certification schemes in practice. That is an unfortunate outcome, as specific certification schemes ultimately cost businesses less and are much more effective measures in meeting the two regulatory objectives of the GDPR. This paper analyzes the Addendum with respect to the function of certification schemes in environments which are highly prone to future uncertainties and covered by data protection law.

Visit publication


Connected HIIG researchers

Maximilian von Grafenstein, Prof. Dr.

Associated Researcher, Co-Head of Research Programme

  • Open Access
  • Transdisciplinary

Explore current HIIG Activities

Research issues in focus

HIIG is currently working on exciting topics. Learn more about our interdisciplinary pioneering work in public discourse.