Certification in the field of data protection

The CNPD is the first data protection authority in Europe to deliver an accreditation to a GDPR certification body

On 12 October 2022, the CNPD accredited the société à responsabilité limitée EY PFS Solutions in the context of its own certification mechanism “GDPR-CARPA”. This is the first accreditation granted by the CNPD to a certification body in Luxembourg and in Europe. EY PFS Solutions, established in Luxembourg, can therefore issue GDPR certifications (General Data Protection Regulation) on the basis of the “GDPR-CARPA” certification mechanism during the period of validity of the accreditation which is 5 years.

With the GDPR certification, companies, public authorities, associations and other organizations established in Luxembourg have the possibility to demonstrate that their data processing activities comply with the GDPR. It offers a high level of compliance to the regulation to controllers and processors for their data processing activities covered by the certification.

The implementation of a certification mechanism can promote transparency and compliance to the GDPR, and allow data subjects to better gauge the degree of protection offered by products, services, processes or systems used or offered by the organizations that process their personal data. GDPR certification mechanisms may also be useful in business-to-business relationships, for example between the controller and its processor. These actors can thus benefit from an independent certificate from a third party to demonstrate that their data processing operations comply with the European regulation.

The unique feature of the CNPD certification mechanism is the fact that it is based on an ISAE 3000 Type 2 report that allows for the issuing of an opinion on the correct implementation of the control mechanism, while the auditor is formally held responsible. This guarantees a high level of confidence, a key factor in having the relevant actors and most of all the data subjects to build trust in the processing of personal data covered by the certification scheme.

Dernière mise à jour