The CNPD has adopted its certification mechanism GDPR-CARPA on 13th May 2022. GDPR-CARPA is the first certification mechanism to be adopted on a national and international level under the GDPR (General Data Protection Regulation).
A launching conference will take place on 28th June 2022 at 14h00. Click here for more information on the conference.
Certification in personal data protection
Companies, public authorities, associations and other organizations established in Luxembourg now have the possibility to demonstrate that their data processing activities comply with the GDPR. GDPR-CARPA hence offers a high level of compliance to the regulation to controllers and processors for their data processing activities covered by the certification.
The implementation of a certification mechanism can promote transparency and compliance to the GDPR, and allow data subjects to better gauge the degree of protection offered by products, services, processes or systems used or offered by the organizations that process their personal data. The GDPR certification mechanism does not certify an organization but rather specific processing operations.
GDPR-CARPA: the first certification mechanism under the GDPR
To date the CNPD is the only European supervisory authority to have developed a GDPR certification mechanism. As the entity that has developed theses certification criteria, the CNPD is the owner of the certification mechanism.
The numerous exchanges the CNPD has had with audit professionals since the GDPR came into effect in 2018 has helped to determine the value of, as well as the type of GDPR certification that could be useful in the Luxembourgish ecosystem. In concertation with these actors, the CNPD developed a first version of its certification mechanism. Thereafter, the other European data protection authorities have examined these criteria under the consistency mechanism and the European Data Protection Board (EDPB) then issued its formal opinion on GDPR-CARPA.
On the European level, the CNPD has been a driving force behind the progress made by the EDPB in the field of certification, notably as rapporteur for the adopted guidance or as a help to the EDPB in issuing formal opinions on this novel subject.
Unique feature of the GDPR-CARPA certification mechanism
In Luxembourg, the CNPD accredits the entities that will issue the GDPR certification. The accreditation criteria for these certification bodies developed by the CNPD, in regards to GDPR-CARPA, are based on ISAE 3000 (audit), ISCQ1 (quality control of auditing organizations) and ISO 17065 (licensing of certification entities). These accreditation criteria frame the work done by the certification entity and the professional auditors.
The unique feature of the CNPD certification mechanism is the fact that it is based on a ISAE 3000 Type 2 report that allows for the issuing of an opinion on the correct implementation of the control mechanism, while the auditor is formally held responsible.
This guarantees a high level of confidence, a key factor in having the relevant actors and most of all the data subjects to build trust in the processing of personal data covered by the certification scheme.