- Latest available (Revised)
- Original (As adopted by EU)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation)(Text with EEA relevance)
After exit day there will be three versions of this legislation to consult for different purposes. The legislation.gov.uk version is the version that applies in the UK. The EU Version currently on EUR-lex is the version that currently applies in the EU i.e you may need this if you operate a business in the EU.
The web archive version is the official version of this legislation item as it stood on exit day before being published to legislation.gov.uk and any subsequent UK changes and effects applied. The web archive also captured associated case law and other language formats from EUR-Lex.
There are currently no known outstanding effects for the Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 43.
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
1.Without prejudice to the tasks and powers of [F1the Commissioner] under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing [F2the Commissioner] in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. [F3In accordance with section 17 of the 2018 Act, those certification bodies may only be] accredited by one or both of the following:
[F4(a)the Commissioner;]
(b)[F5the UK national accreditation body] named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council(1) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by [F6the Commissioner].
2.Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
(a)demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of [F7the Commissioner];
(b)undertaken to respect the criteria referred to in Article 42(5) and approved by [F8the Commissioner] which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;
(c)established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;
(d)established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(e)demonstrated, to the satisfaction of [F9the Commissioner], that their tasks and duties do not result in a conflict of interests.
3.[X1The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by [F10the Commissioner].] In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
4.The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
5.The certification bodies referred to in paragraph 1 shall provide [F11the Commissioner] with the reasons for granting or withdrawing the requested certification.
[X16 . The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by [F12the Commissioner] in an easily accessible form. F13... ]
7.Without prejudice to Chapter VIII, [F14the Commissioner or the UK national accreditation body] shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
F158.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F159.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Editorial Information
X1Substituted by Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 119 of 4 May 2016).
Textual Amendments
F1Words in Art. 43(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(2)(a)(i) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in Art. 43(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(2)(a)(ii) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in Art. 43(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(2)(a)(iii) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Art. 43(1)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(2)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in Art. 43(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(2)(c)(i) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in Art. 43(1)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(2)(c)(ii) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F7Words in Art. 43(2)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in Art. 43(2)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in Art. 43(2)(e) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(3)(c) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in Art. 43(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in Art. 43(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in Art. 43(6) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(6)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F13Words in Art. 43(6) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(6)(b) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F14Words in Art. 43(7) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15Art. 43(8)(9) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 37(8) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: