SpringerLink
Log in

Privacy Through Certification?: The New Certification Scheme of the General Data Protection Regulation

  • Chapter
  • First Online:
Certification – Trust, Accountability, Liability

Part of the book series: Studies in European Economic Law and Regulation ((SEELR,volume 16))

  • 571 Accesses

Abstract

This chapter gives an overview of the certification and audit mechanisms which are envisioned by Articles 42 and 43 of the new General Data Protection Regulation (GDPR). Audit and certification mechanisms are means of co-regulation and aimed at creating market incentives. This optional enforcement layer is meant to enhance the standard of privacy protection. The reason why this goal was not widely achieved in the past was mainly due to the lack of common standards with regard to the informative value of privacy seals and marks. In the first section the authors highlight key cornerstones of European and in particular German data protection law with regard to the fundamental right to informational self-determination. Differences and similarities between audit and certification concepts with regard to scope, mode and standard of examination, verifying authority and legal effects will then be explained in the second section. The general approach and specific aspects of the GDPR with regard to certification mechanisms are examined in the final section. Although the certification and audit mechanisms envisioned by the GDPR are limited to demonstrate mere adherence to data protection law, the authors emphasize the key merit of Articles 42 and 43 GDPR, which is the opportunity to create transparency through a system of harmonized standards with regard to privacy seals and marks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (France)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 117.69
Price includes VAT (France)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
EUR 147.69
Price includes VAT (France)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Reg (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, [2016] OJ L 119/1.

  2. 2.

    Dir (EU) 2016/680 on the protection of natural persons with regard to processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, [2016] OJ L 119/89.

  3. 3.

    Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, [2008] OJ L 350/60.

  4. 4.

    Kühling and Martini (2016), pp. 448, 449.

  5. 5.

    Kühling (2007), p. 153; concerning the legal problems: Roßnagel (2007).

  6. 6.

    See Hornung (2011), p. 51; this is now addressed by Art 25 GDPR (“data protection by design and by default”).

  7. 7.

    On the economic perspective on privacy seals cf. Waelbroeck (2018), p. 133.

  8. 8.

    Bock (2016), p. 335.

  9. 9.

    With regard to the concept and examples in other countries see Roßnagel (2000); Roßnagel (1997), p. 505.

  10. 10.

    See with regard to positive experiences Bäumler (2002), p. 325; Bäumler (2004), p. 80; Schläger (2004), p. 459; Bock (2016), p. 335 ff.; Hansen (2018), p. 35.

  11. 11.

    Carvais-Palut (2018), p. 49 ff.; on other countries (e.g. the UK and Switzerland) cf. Schwartmann and Weiß (2016), pp. 68, 69.

  12. 12.

    Cavoukian and Chibba (2018), p. 59 ff.

  13. 13.

    For an inventory see ENISA (2013); ENISA (2017), p. 16 ff.; with regard to the existing market see Feik and von Lewinski (2014), p. 59; see also the comparative analysis of Balboni and Dragan (2018), p. 99 ff.

  14. 14.

    Lachaud (2016), p. 814.

  15. 15.

    Bundesverfassungsgericht (BVerfG), 15.12.1983, 65 Entscheidungen des Bundesverfassungsgerichts 1; on this “fundamental rights innovation” cf. Hornung (2015), p. 266 ff.

  16. 16.

    Germany already had a Federal Data Protection Act before the population census decision. It was enacted in 1977, but had to be completely revised after the population census decision. The new Data Protection Act entered into force in 1990. After the Data Protection Directive 95/46/EC had been enacted in 1995, it took the German federal legislator 6 years to transpose this directive into a new Data Protection Act.

  17. 17.

    This is not to say that the Bundesverfassungsgericht invented all those principles, since it could resort to the works of scholars, but it made those principles mandatory even for the legislator.

  18. 18.

    Arts 10, 11, 12, 14, 18 of Dir 95/46/EC.

  19. 19.

    Art 6(1)(b) of Dir 95/46/EC.

  20. 20.

    Art 6(1)(c) of Dir 95/46/EC.

  21. 21.

    BVerfG (n 15) 46 f.

  22. 22.

    Hornung and Schnabel (2009), pp. 84, 88.

  23. 23.

    Recital 10 GDPR; for a more specific overview with further references see Schantz (2016), p. 1841; Kühling and Martini (2016).

  24. 24.

    Bird & Bird (2016), p. 54.

  25. 25.

    Bird & Bird (2016), p. 47.

  26. 26.

    Kühling and Martini (2016), p. 448; Kühling et al. (2016).

  27. 27.

    In Germany, the respective national laws were enacted very quickly. § 26 of the new Federal Data Protection Act (Bundesdatenschutzgesetz) makes use of the opening clause of Art 88 GDPR.

  28. 28.

    Some of the ideas mentioned in this section are based on Hornung and Hartl (2014), p. 219.

  29. 29.

    Roßnagel (2000), p. 65 ff.

  30. 30.

    With regard to § 9a FDPA, the term “product audit” is also used, see Scholz (2014), margin note 24.

  31. 31.

    ENISA (2017), p. 13.

  32. 32.

    See the economic analysis by Waelbroeck (2018), pp. 135 ff., 141 ff.

  33. 33.

    Hornung and Hartl (2014), p. 220.

  34. 34.

    Scholz (2014), margin note 24; Roßnagel (2000), p. 267.

  35. 35.

    Roßnagel (2000), p. 58; Meissner (2008), pp. 525, 526; Schläger (2004), p. 460.

  36. 36.

    Schläger (2004), p. 460.

  37. 37.

    On the example of cyber-physical systems, see Barnard-Wills (2018), p. 113.

  38. 38.

    Roßnagel (2011), p. 267.

  39. 39.

    Roßnagel (2000), p. 58; Hammer and Schuler (2007), pp. 77, 79 who do not require a reference to a certain process.

  40. 40.

    Roßnagel (2000), p. 141 f.

  41. 41.

    Weichert (2010), margin note 11.

  42. 42.

    In the context of the 2009 amendment of the German FDPA this ‘minimum standard’ was rejected and regarded as a ‘bureaucratic duplication’ of the duty to observe the law, see Grentzenberg et al. (2009), pp. 535, 542.

  43. 43.

    This is for example the case in the existing scheme of Schleswig-Holstein, cf. Hansen (2018), p. 40 f. One could also consider mixed models and the (advisory) participation of additional institutions such as consumer protection organisations or foundations (e.g. the German data protection foundation).

  44. 44.

    This would be Roßnagel’s concept. Hammer and Schuler (2007), p. 81 use a different terminology.

  45. 45.

    Hammer and Schuler (2007), p. 78 f. with regard to “fiberizing” of certificates.

  46. 46.

    This was also criticized in the course of the 2009 amendment of the German FDPA, see Hammer and Schuler (2007), p. 78 f.

  47. 47.

    See for example Roßnagel (2000), p. 514; Schläger (2004), p. 459; ENISA (2017), p. 9.

  48. 48.

    Dieterich (2016), p. 260.

  49. 49.

    Windmann (2010), pp. 396, 401 f.

  50. 50.

    In an alternative model, the verifying authority would be liable for flawed audits and certificates. With regard to difficulties of proof and the sparsely developed concept of liability in data protection law, this approach does not seem practicable, see AG Rechtsrahmen des Cloud Computing (2012), p. 18.

  51. 51.

    Following the environmental protection audit Roßnagel (2000), p. 112; Schläger (2004), p. 459.

  52. 52.

    Bräutigam and Sonnleithner (2011), pp. 240, 242.

  53. 53.

    Heilmann and Schulz (2018), margin note 8; Hornung (2014), pp. 123, 146 ff, with regard to social networks.

  54. 54.

    As is the case in the German Länder of Bremen, Mecklenburg-Vorpommern and Schleswig-Holstein.

  55. 55.

    Hornung and Sädtler (2012), pp. 638, 643; AG Rechtsrahmen des Cloud Computing (2012), p. 12 ff.

  56. 56.

    Currently, these privileges do not exist. As a result, existing private seals regarding commissioned data processing are tainted with lacking legal certainty, see Borges and Brennscheidt (2012), p. 68.

  57. 57.

    For example Lepperhoff and Jaspers (2013), p. 617; a current standard (together with a seal) was developed in 2013 by the German associations GDD and BvD and coordinated by the Data Protection Commissioner of Nordrhein-Westfalen (Der LfDI Nordrhein-Westfalen 2014, p. 6), for further information see www.dsz-audit.de.

  58. 58.

    Wagner (2011), pp. 229, 232; Scholz (2014), margin note 15 ff.

  59. 59.

    On the legal situation as regards the binding effect within the GDPR framework, cf. von Braunmühl (2016), margin note 16; Bergt (2017), margin note 27.

  60. 60.

    Roßnagel (2011), p. 275.

  61. 61.

    Roßnagel (2000), p. 140.

  62. 62.

    Scholz (2014), margin note 8 with further references.

  63. 63.

    See, for example, the comment by the German association DVD e.V.: Schuler (2007), pp. 181, 182: “It may be doubted […] that the voluntary certificate is already issued for compliance with data protection law. This means, that one certifies that there is no infringement of law. Apart from sending the wrong message, there is no additional advantage that can be gained for consumers”.

  64. 64.

    BT-Drs. 16/12011.

  65. 65.

    BT-Drs. 16/12011, 38.

  66. 66.

    Roßnagel (2011), p. 277.

  67. 67.

    Grentzenberg et al. (2009), p. 542 with further references.

  68. 68.

    See n 58.

  69. 69.

    Bäumler (2002), p. 325; Bäumler (2004), p. 80; Schläger (2004), p. 459; Hornung (2013), pp. 181, 185; on the specific certification procedure, see Hansen (2018), p. 38 ff.

  70. 70.

    For further information and the list of products, see https://www.datenschutzzentrum.de/guetesiegel/index.htm; for figures and examples see Hansen (2018), p. 42 f.

  71. 71.

    Holst (2014), p. 710.

  72. 72.

    Meissner (2008), p. 525.

  73. 73.

    Hornung (2011), p. 53; Kamara and De Hert (2018), pp. 7, 9.

  74. 74.

    With regard to this concept, see Art. 29 Working Party, WP 173 (2010); see also Hornung (2013), p. 188 f. Art 5(2) GDPR now explicitly includes the principle, which as a link to certification, see ENISA (2017), p. 13; Carvais-Palut (2018), p. 54 f.

  75. 75.

    See Art. 29 Working Party (2010), p. 9 and in particular 17 ff.

  76. 76.

    See COM(2010) 609 final, 12 f.

  77. 77.

    COM(2012) 11 final.

  78. 78.

    Hornung and Hartl (2014), p. 223; Kamara and De Hert (2018), p. 11 f.

  79. 79.

    European Parliament Doc 7427/14.

  80. 80.

    See Kamara and De Hert (2018), p. 12 f.

  81. 81.

    Hornung and Hartl (2014), p. 223 f.

  82. 82.

    Council Doc 9565/15; cf. Kamara and De Hert (2018), p. 13 and the analysis of Korff (3 October 2014), http://eulawanalysis.blogspot.nl/2014/10/warning-eu-council-is-trying-to.html.

  83. 83.

    Spindler (2016), pp. 407, 408; Art 70(1) lit. n) GDPR contains a similar rule with regard to the European Data Protection Board.

  84. 84.

    However, supervisory authorities, which are also considered certification bodies, are not accredited at all.

  85. 85.

    Reg (EC) No 765/2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products [2008] OJ L 218/30, see ENISA (2017), p. 14.

  86. 86.

    Cf. Kamara and De Hert (2018), p. 21 f.

  87. 87.

    Paal (2018), margin note 6; with regard to the LIBE-proposal see Hornung and Hartl (2014), p. 223.

  88. 88.

    Cf. ENISA (2017), p. 22.

  89. 89.

    Cf. Hornung (2017), margin notes 8 ff.; von Braunmühl (2016), margin note 7; ENISA (2017), p. 15; against Paal (2018), margin note 7; Bergt (2017), margin note 3; Eckhardt (2017), margin notes 31 ff.; Lepperhoff (2017), margin note 9; Raschauer (2017), margin note 23.

  90. 90.

    Lepperhoff (2017), margin note 26; against Bergt (2017), margin note 15; Heilmann and Schulz (2018), margin notes 15, 34. See also ENISA (2017), pp. 14 f., 22.

  91. 91.

    With regard to this “presumption of conformity” see Spindler (2016), p. 414.

  92. 92.

    See, for example, CJEU, Case C-326/96 B.S. Levez vs. T.H. Jennings (Harlow Pools) Ltd., ECLI:EU:C:1998:577.

  93. 93.

    Lachaud (2016), p. 825; the ENISA (2017), p. 23, argues for harmonized criteria across EU Member States.

  94. 94.

    On the details of the process see Kamara and De Hert (2018), p. 22 ff.

  95. 95.

    It is frequently argued that the supervisory authorities should not take up this role, as this could come into conflict with their supervisory functions (cf. ENISA 2017, p. 25). In the German example of Schleswig-Holstein (cf. Sect. 4.2.1) however, this conflict has not appeared.

  96. 96.

    See Lachaud (2016), p. 825.

  97. 97.

    See ENISA (2017), p. 24 f.; Kamara and De Hert (2018), p. 20 f.

  98. 98.

    ENISA (2017), pp. 11, 15; cf. Kamara and De Hert (2018), p. 18 ff. on different models.

  99. 99.

    See Lachaud (2016), p. 818.

  100. 100.

    See Kamara and De Hert (2018), p. 20 f.

  101. 101.

    Bergt (2017), margin note 7; Lepperhoff (2017), margin note 8; Spindler (2016), p. 409.

  102. 102.

    See also ENISA (2017), p. 23 f.

  103. 103.

    Heilmann and Schulz (2018), margin notes 21 f.; Bergt (2017), margin notes 14 f.; Spindler (2016), p. 412.

  104. 104.

    Cf. Kamara and De Hert (2018), p. 24 ff.

  105. 105.

    Spindler (2016), p. 413.

  106. 106.

    Cf. Bergt (2017), margin notes 4, 31; Kamara and De Hert (2018), p. 25 f. This however could discriminate against those micro and small-sized businesses which cannot “afford” to be certified; in this context see Lachaud (2016), p. 820.

  107. 107.

    See Heilmann and Schulz (2018), margin notes 43 f.; Paal (2018), margin note 9; Bergt (2017), margin notes 2, 28; Lepperhoff (2017), margin note 4; Will (2017), margin note 5; von Braunmühl (2016), margin note 14; Kamara and De Hert (2018), p. 26 ff.

  108. 108.

    See Kamara and De Hert (2018), p. 28 f.

  109. 109.

    See in particular the lessons learnt from the example of Schleswig-Holstein, Hansen (2018), p. 44 ff.; see also Carvais-Palut (2018).

  110. 110.

    On this perspective and the possibilities to transfer concepts and experiences in the area of data protection, see Balboni and Dragan (2018), p. 83 ff.

References

  • AG Rechtsrahmen des Cloud Computing. (2012). Datenschutzrechtliche Lösungen für Cloud Computing. http://www.tcdp.de/data/pdf/01_Thesenpapier_Datenschutzrechtliche-Loesungen-fuer-Cloud-Computing.pdf

  • Art. 29 Working Party, WP 173. (2010). Opinion 3/2010 on the principle of accountability. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf

  • Balboni, P., & Dragan, T. (2018). Controversies and challenges of trustmarks: Lessons for privacy and data protection seals. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 83). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Barnard-Wills, D. (2018). The potential for privacy seals in emerging technologies. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 113). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Bäumler, H. (2002). Marktwirtschaftlicher Datenschutz. Datenschutz und Datensicherheit, 325.

    Google Scholar 

  • Bäumler, H. (2004). Ein Gütesiegel für den Datenschutz. Datenschutz und Datensicherheit, 80.

    Google Scholar 

  • Bergt, M. (2017). ‘Art. 41’, ‘Art. 42’ and ‘Art. 43’. In J. Kühling & B. Buchner (Eds.), DS-GVO. Munich, Germany: C.H. Beck.

    Google Scholar 

  • Bird & Bird. (2016). Guide to the general data protection regulation. https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird%2D%2Dbird%2D%2Dguide-to-the-general-data-protection-regulation.pdf?la=en

  • Bock, K. (2016). Data protection certification: Decorative or effective instrument? Audit and seals as a way to enforce privacy. In D. Wright & P. De Hert (Eds.), Enforcing privacy regulatory. Legal and technological approaches (p. 335). Heidelberg, Germany: Springer.

    Google Scholar 

  • Borges, G., & Brennscheidt, K. (2012). Rechtsfragen des Cloud Computing – ein Zwischenbericht. In G. Borges & J. Schwenk (Eds.), Daten- und Identitätsschutz in Cloud Computing, E-Government und E-Commerce (1st ed., p. 43). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Bräutigam, P., & Sonnleithner, B. (2011). Stiftung Datenschutz – Ein Schritt in die richtige Richtung. Anwaltsblatt, 240.

    Google Scholar 

  • Carvais-Palut, J. (2018). The French privacy seal scheme: A successful test. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 49). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Cavoukian, A., & Chibba, M. (2018). Privacy seals in the USA, Europe, Japan, Canada, India and Australia. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 59). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Der LfDI Nordrhein-Westfalen. (2014). Datenschutzsiegel in Nordrhein-Westfalen. Datenschutz und Datensicherheit, 6.

    Google Scholar 

  • Dieterich, T. (2016). Rechtsdurchsetzungsmöglichkeiten der DS-GVO Einheitlicher Rechtsrahmen führt nicht zwangsläufig zu einheitlicher Rechtsanwendung. Datenschutz und Datensicherheit ie, 260.

    Google Scholar 

  • Eckhardt, J. (2017). Art. 42. In H. Wolff & S. Brink (Eds.), BeckOK Datenschutzrecht (22nd ed.). Munich, Germany: C.H. Beck.

    Google Scholar 

  • European Union Agency For Network and Information Security (ENISA). (2013). On the security, privacy and usability of online seals. https://www.enisa.europa.eu/publications/on-the-security-privacy-and-usability-of-online-seals

  • European Union Agency For Network and Information Security (ENISA). (2017). Recommendations on European data protection certifications. https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification

  • Feik, S., & von Lewinski, K. (2014). Der Markt für Datenschutz-Zertifizierungen. Zeitschrift für Datenschutz, 59.

    Google Scholar 

  • Grentzenberg, V., Schreibauer, M., & Schuppert, S. (2009). Die Datenschutznovelle (Teil II). Kommunikation und Recht, 535.

    Google Scholar 

  • Hammer, V., & Schuler, K. (2007). Cui bono? – Ziele und Inhalte eines Datenschutz-Zertifikats. Datenschutz und Datensicherheit, 77.

    Google Scholar 

  • Hansen, M. (2018). The Schleswig-Holstein data protection seal. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 35). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Heilmann, S., & Schulz, W. (2018). ‘Art. 42’ and ‘Art. 43’. In S. Gierschmann, K. Schlender, R. Stentzel, & W. Veil (Eds.), Kommentar Datenschutz-Grundverordnung. Cologne, Germany: Bundesanzeiger Verlag.

    Google Scholar 

  • Holst, S. (2014). Bremische Datenschutzauditverordnung in Kraft. Datenschutz und Datensicherheit, 710.

    Google Scholar 

  • Hornung, G. (2011). Eine Datenschutz-Grundverordnung für Europa?. Zeitschrift für Datenschutz, 51.

    Google Scholar 

  • Hornung, G. (2013). Regulating privacy enhancing technologies: Seizing the opportunity of the future European Data Protection Framework. Innovation The European Journal of Social Science Research, 26, 181.

    Article  Google Scholar 

  • Hornung, G. (2014). Europa und drüber hinaus – Konzepte für eine Neuregelung des Datenschutzes im Internet und in sozialen Netzwerken. In H. Hill & U. Schliesky (Eds.), Die Neubestimmung der Privatheit (p. 123). Baden-Baden, Germany: Nomos.

    Chapter  Google Scholar 

  • Hornung, G. (2015). Grundrechtsinnovationen. Tübingen, Germany: Mohr Siebeck.

    Book  Google Scholar 

  • Hornung, G. (2017). Art. 42. In M. Eßer, P. Kramer, & K. von Lewinski (Eds.), DSGVO BDSG (5th ed.). Cologne, Germany: Carl Heymanns Verlag.

    Google Scholar 

  • Hornung, G., & Hartl, K. (2014). Datenschutz durch Marktanreize – auch in Europa? Stand der Diskussion zu Datenschutzzertifizierung und Datenschutzaudit. Zeitschrift für Datenschutz, 219.

    Google Scholar 

  • Hornung, G., & Sädtler, S. (2012). Europas Wolken – Die Auswirkungen des Entwurfs für eine Datenschutz-Grundverordnung auf das Cloud Computing. Computer und Recht, 638.

    Google Scholar 

  • Hornung, G., & Schnabel, C. (2009). Data protection in Germany I: The population census decision and the right to informational self-determination. Computer Law & Security Review, 25, 84.

    Article  Google Scholar 

  • Kamara, I., & De Hert, P. (2018). Data protection certification in the EU: Possibilities, actors and building blocks in a reformed landscape. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 7). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Korff, D. (2014, October 3). Warning: The EU council is trying to undermine privacy seals (and through this, the General data protection regulation). EU Law Analysis Blog. http://eulawanalysis.blogspot.nl/2014/10/warning-eu-council-is-trying-to.html

  • Kühling, J. (2007). Datenschutz in einer künftigen Welt allgegenwärtiger Datenverarbeitung – Aufgabe des Rechts? Die Verwaltung, 40, 153.

    Google Scholar 

  • Kühling, J., & Martini, M. (2016). Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen und deutschen Datenschutzrecht? Europäische Zeitschrift für Wirtschaftsrecht, 448.

    Google Scholar 

  • Kühling, J., Martini, M., Heberlein, J., Kühl, B., Nink, D., Weinzierl, Q., et al. (2016). Die Datenschutz Grundverordnung und das nationale Recht. Münster, Germany: Monsenstein und Vannerdat.

    Google Scholar 

  • Lachaud, E. (2016). Why the certification process defined in the General Data Protection Regulation cannot be successful. Computer Law & Security Review, 32, 814–826.

    Article  Google Scholar 

  • Lepperhoff, N. (2017). Art. 42. In P. Gola (Ed.), DS-GVO. Munich, Germany: C.H. Beck.

    Google Scholar 

  • Lepperhoff, N., & Jaspers, A. (2013). Neuer Datenschutzstandard DS-BvD-GDD-01 mit passendem Gütesiegel. MultiMedia und Recht, 617.

    Google Scholar 

  • Meissner, S. (2008). Zertifizierungskriterien für Datenschutzgütesiegel EuroPriSe. Datenschutz und Datensicherheit, 525.

    Google Scholar 

  • Paal, B. (2018). Art. 42. In B. Paal & D. Pauly (Eds.), Datenschutz-Grundverordnung Bundesdatenschutzgesetz (2nd ed.). Munich, Germany: C.H. Beck.

    Google Scholar 

  • Raschauer, N. (2017). Art. 42. In G. Sydow (Ed.), Europäische Datenschutzgrundverordnung. Baden-Baden, Germany: Nomos.

    Google Scholar 

  • Roßnagel, A. (1997). Datenschutzaudit. Datenschutz und Datensicherheit, 505.

    Google Scholar 

  • Roßnagel, A. (2000). Datenschutzaudit. Wiesbaden, Germany: Springer.

    Book  Google Scholar 

  • Roßnagel, A. (2007). Datenschutz in einem informatisierten Alltag. Berlin, Germany: Friedrich-Ebert-Stiftung.

    Google Scholar 

  • Roßnagel, A. (2011). Datenschutzaudit – ein modernes Steuerungsinstrument. In L. Hempel, S. Krasmann, & U. Bröckling (Eds.), Sichtbarkeitsregime (1st ed., p. 277). Wiesbaden, Germany: Springer.

    Google Scholar 

  • Schantz, P. (2016). Die Datenschutz-Grundverordnung – Beginn einer neuen Zeitrechnung im Datenschutzrecht. Neue juristische Wochenschrift, 1841.

    Google Scholar 

  • Schläger, U. (2004). Gütesiegel nach Datenschutzauditverordnung Schleswig-Holstein. Datenschutz und Datensicherheit, 459.

    Google Scholar 

  • Scholz, P. (2014). § 9a BDSG. In S. Simitis (Ed.), Bundesdatzenschutzgesetz (8th ed.). Baden-Baden, Germany: Nomos.

    Google Scholar 

  • Schuler, K. (2007). Stellungnahme zum Bundesdatenschutzauditgesetz vom 7. September 2007. Datenschutznachrichten, 181.

    Google Scholar 

  • Schwartmann, R., & Weiß, S. (2016). Ko-Regulierung vor einer neuen Blüte (Teil 1). Recht der Datenverarbeitung, 68.

    Google Scholar 

  • Spindler, G. (2016). Selbstregulierung und Zertifizierungsverfahren nach der DS-GVO Reichweite und Rechtsfolgen der genehmigten Verhaltensregeln. Zeitschrift für Datenschutz, 407.

    Google Scholar 

  • von Braunmühl, P. (2016). Art. 42. In K. Plath (Ed.), BDSG DSGVO (2nd ed.). Cologne, Germany: Otto Schmidt.

    Google Scholar 

  • Waelbroeck, P. (2018). An economic analysis of privacy seals. In R. Rodrigues & V. Papakonstantinou (Eds.), Privacy and data protection seals (p. 133). Berlin, Germany: Springer.

    Chapter  Google Scholar 

  • Wagner, E. (2011). Bundesstiftung Datenschutz - Chancen? Grenzen! Eine Erwiderung auf Piltz/Schulz, Stiftung Datenschutz - moderner Datenschutz neu gedacht. Recht der Datenverarbeitung, 229.

    Google Scholar 

  • Weichert, T. (2010). § 9a. In W. Däubler, T. Klebe, P. Wedde, & T. Weichert (Eds.), Bundesdatenschutzgesetz (3rd ed.). Frankfurt am Main, Germany: Bund-Verlag.

    Google Scholar 

  • Will, M. (2017). Art. 42. In E. Ehmann & M. Selmayr (Eds.), Datenschutz-Grundverordnung. Munich, Germany: C.H. Beck.

    Google Scholar 

  • Windmann, J. (2010). Der Verifikateur und der Aufsichtsbeamte als zentrale Elemente des Sachverständigen-Vollzugsmodells im Technikrecht. Die öffentliche Verwaltung, 396.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Economic Law, Faculty of Economics and Management, University of Kassel, Kassel, Germany

    Gerrit Hornung & Stefan Bauer

Authors
  1. Gerrit Hornung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Bauer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gerrit Hornung .

Editor information

Editors and Affiliations

  1. University of Kassel , Kassel, Germany

    Peter Rott

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Hornung, G., Bauer, S. (2019). Privacy Through Certification?: The New Certification Scheme of the General Data Protection Regulation. In: Rott, P. (eds) Certification – Trust, Accountability, Liability. Studies in European Economic Law and Regulation, vol 16. Springer, Cham. https://doi.org/10.1007/978-3-030-02499-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02499-4_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02498-7

  • Online ISBN: 978-3-030-02499-4

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation