Certification as guidance for data protection by design

Data protection by design is an obligation for data controllers according to article 25(1) of the General Data Protection Regulation (GDPR). The present paper explores the concept of data protection by design and proposes that data protection certificates can offer guidance to data controllers, about compliance with this GDPR obligation. An exploration of officially approved certification schemes shows that the certification requirements may lay down concrete use cases which can guide data controllers about compliance with the obligation of data protection by design. Even though these policies are not a comprehensive guide for data protection by design, they lay down valuable solutions with respect to effective compliance. Moreover, the data protection measures of compliance in certification criteria have been approved by the competent Data Protection Authority and possibly the European Data Protection Board. As the present paper argues, the official approval by the competent authorities creates legitimate expectations under European Union Law. Specifically, data controllers can legitimately expect that abidance by approved safeguards meets the expectations of the authorities that are entrusted with monitoring their compliance. For these reasons, certification though an ex post mechanism, can offer valuable ex ante guidance.