Skip to content

Data security

Data Processing

TÜV-certified data protection in accordance with Article 42 EU GDPR

Article 42 of the EU GDPR creates the prerequisites for certification in accordance with the EU General Data Protection Regulation. TÜVIT is currently undergoing the accreditation process for data protection certification.

Zwei Frauen arbeiten an einem Schreibtisch mit einem Laptop vor ihnen.

Certification of all data processing

We offer you certification in accordance with Art. 42 GDPR, which covers all data processing by information processing services.

Objective proof

With a GDPR certification, you prove that the data processing in your company complies with the data protection standards of the GDPR.

Lower risk of fines

By optimising data protection in your company, you reduce potential data breaches - and the associated fines - to a minimum.

What is certification under Article 42 GDPR?

Customers and business partners are generally unable to see which data protection measures a company is implementing. This is set to change in future with standardised data protection certification in accordance with the EU GDPR.

Data protection certification is a procedure that can be used to check processing operations for IT products, services or in the company with regard to compliance with legal data protection requirements. The result is a data protection certificate or seal of approval that proves the implementation of the data protection standards of the GDPR.

The framework for certification is provided by Art. 42 GDPR, with which the EU promotes the introduction of data protection-specific certification procedures and the award of data protection seals and certification marks by certified bodies.

At a glance

Benefits of GDPR certification

GDPR certification offers companies many opportunities to make their data protection measures transparent, effective and legally compliant. In addition to providing objective proof of compliance with legal requirements, it strengthens trust among customers and business partners.

  • Objective proof of compliance with the GDPR
    A certificate provides you with independent proof of proper implementation of the GDPR.
  • Increased trust among customers & business partners
    A GDPR certificate strengthens trust among (potential) customers & business partners.
  • Fulfilment of accountability obligations
    A GDPR certificate proves that you comply with the legal data protection requirements for data processing.
  • Raise employee awareness
    In the course of certification, you also raise employee awareness of data protection issues
  • Optimisation of data protection in your company
    GDPR certification allows you to constantly increase the general level of data protection in your company.
  • Reduction of data protection risks & mishaps
    As part of a GDPR certification, you uncover weaknesses & prevent data protection mishaps.
  • Certificate as a prerequisite for market access
    In some areas, data protection certificates can act as a prerequisite for market access.
  • Advantages in the context of tenders
    A certificate obtained in accordance with Art. 42 GDPR has a positive effect on participation in tenders.

 

When will TÜVIT be approved for GDPR certification?

Our certification programme has already been approved in principle by the LDI NRW (State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia) and is now awaiting an opinion from the EDPB (European Data Protection Board). At the same time, the accreditation process is underway at the German Accreditation Body (DAkkS). The certification programme is not limited to specific areas of application, but considers all forms of data processing by information processing services. The criteria it contains take into account both the requirements of the GDPR and the BDSG as well as other requirements, for example from ISO standards, the TDDDG, etc. We expect to be able to offer the first audits and certifications in accordance with the new certification programme by the end of 2025/beginning of 2026 at the latest.

As part of the Certification of video consultations we are already carrying out certifications in accordance with Article 42 GDPR, based on an exemption in Annex 31b BMV-Ä.

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about data processing

GDPR certification is generally aimed at all companies in which personal data is processed and/or stored using IT-supported processing procedures.

We have already submitted our certification programme to the DAkkS and are confident that we will be able to offer the first certifications in accordance with Article 42 GDPR from the end of Q2 or beginning of Q3 2025

  • 1) Maturity assessment workshop:
    Before you embark on our certification process in accordance with Article 42 GDPR, it is essential that the target of evaluation (ToE) is specified and documented. In a joint workshop, we look at how you have specified the certification object and what the status of certification maturity is. The results of the workshop are recorded. The specification of the ToE and the assessment of certification maturity ensure that the processing operations to be certified have a level of maturity that makes a certification procedure appear promising.
  • 2) Certification application:
    If you are ready for certification, the next step is to formally submit an application for certification.
  • 3) Certification contract and agreement:
    After a positive application review, you will receive the following documents:
    - a certification offer and
    - the certification agreement form with the GDPR certification programme and the certification conditions.
    Based on the offer from the certification body and the order for certification, you acknowledge the GDPR certification programme with its rules and procedures as well as the certification conditions by signing the "Certification agreement" form.
  • 4) Legal and technical evaluation:
    An evaluation team of the certification body carries out the legal and technical evaluation of the certification object and documents the results in an evaluation report.
  • 5) Certification decision:
    The certification body assesses the evaluation on the basis of the evaluation report and monitors compliance with the procedural requirements based on DIN EN ISO/IEC 17065. The certification decision is recorded and the customer is informed of the result.
  • 6) Issue of certificate:
    If the certification decision is positive, the certificate is issued, which specifies the scope of the certification (certification object / processing procedure) and a maximum validity of 3 years, as well as the test mark. A valid certificate authorises the public use of the test mark in connection with the certified product in accordance with the certification conditions. The certificate and a brief report with the result of the certification and details of the area of application and the conditions of use are published on the TÜVIT website.
  • 7) Surveillance audits:
    The certification body carries out an annual surveillance audit without cause, with the exception of the years in which a recertification procedure is carried out. The timing of a surveillance audit depends on the certificate date. The surveillance audit must always be completed at the latest on the day one or two years after the certificate date. The earliest start date for the surveillance audit is six months before this date. In addition, the certification body carries out event-driven surveillance measures if anomalies occur that give rise to fears of non-compliance with the certification requirements.

Unfortunately, there is no general answer to the question of how high the costs for GDPR certification are. The final costs depend, among other things, on the subject of the audit and the scope and depth of the audit.

The certificate in accordance with Art. 42 GDPR is formally valid for a maximum of 3 years. However, since certification is always only a temporary admission and business processes and data protection requirements can change over time, re-certification may be necessary before then.

Below you will find a brief general overview of the points covered by our test criteria:

  • Process documentation
  • Principles of processing
  • Lawfulness of the processing
  • Consent
  • Processing of sensitive data
  • Rights of the data subjects
  • Controller and processor
  • Security of processing
  • Data protection management
  • Data protection impact assessment and prior consultation
  • Code of conduct and certification
  • Transfer of personal data to third countries or international organisations

Depending on the scope and requirements, further specific criteria may also be added.

Why we are a strong partner for you

Good reasons that speak in our favour

You may also be interested in the following