Certification

According to the General Data Protection Regulation (the ‘Regulation’), an organisation is responsible for complying with all data protection principles and is also responsible for demonstrating such compliance. Certification is a voluntary accountability tool that can help organisations ensure and demonstrate compliance with the Regulation. Articles 42 and 43 of the Regulation encourage the establishment of certification mechanisms, as well as data protection seals and marks, to show that processing operations comply with the Regulation. Certification does not replace an organisation’s legal obligations under the Regulation. Thus, adherence to a certification mechanism does not reduce the responsibility of controllers or processors for compliance with the Regulation or prevent Supervisory Authorities from exercising their tasks and powers pursuant to the Regulation and relevant national laws. Rather, certification serves as an additional means of demonstrating that appropriate data protection safeguards and practices are in place.

Certification mechanisms are developed by scheme owners, and the certification criteria, which form an integral part of any certification mechanism, must be approved by the competent supervisory authority, or in the case of a European Data Protection Seal, by the European Data Protection Board (the ‘Board’). Before a supervisory authority issues its decision approving the criteria of a certification mechanism, that supervisory authority must submit it through the consistency mechanism under the Regulation to ensure consistent application of the Regulation.

Certifications are issued by accredited certification bodies that assess whether a controller’s or processor’s processing operations meet the requirements set out in the relevant certification mechanism. In Malta, Article 32 of the Data Protection Act (Chapter 586 of the Laws of Malta) provides that the certification bodies referred to in Article 43 of the Regulation are to be accredited by the National Accreditation Board (Malta). Such accreditation is carried out in accordance with EN-ISO/IEC 17065:2012 and with the additional criteria and requirements established by the Information and Data Protection Commissioner (the ‘Commissioner’).

The Commissioner submitted its draft additional requirements for the accreditation of certification bodies to the Board on 13 October 2022. Following the adoption of the Board’s Opinion 4/2023 on 3 February 2023, the Commissioner decided to follow the Opinion and consequently revised the draft additional accreditation requirements for certification bodies on 17 February 2023. The follow-up assessment prepared in compliance with Article 10(8) of the Board’s Rules of Procedure was formally circulated on 25 July 2025 and thereafter the Commissioner decided to further revise the draft additional accreditation requirements for certification bodies and adopted the third version of these additional requirements dated 28 July 2025.

Click here to access the Additional Accreditation Requirements for Certification Bodies. Currently, there are no accredited certification bodies in Malta for issuing GDPR certificates.

EDPB Guidance on Certification and Accreditation

The Board has published the following relevant guidance:

• Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 GDPR and their Addendum providing guidance on certification criteria assessment;
• Guidelines 4/2018 on the accreditation of certification bodies under Article 43 GDPR; and
• Guidelines 7/2022 on certification as a tool for transfers.

Moreover, the Board maintains a register of approved national and EU certification mechanisms, seals and marks which can be accessed here.