The CNPD organized a three-day workshop in Luxembourg on the subject of the certification of data-processing operations under the GDPR. From 22 to 24 November 2023, representatives of data protection authorities and GDPR certification professionals from all over Europe discussed the development, the challenges and future opportunities for the GDPR certification schemes.
The first day was dedicated to feedback from certification stakeholders (certification scheme owners, certification bodies, consulting and law firms specialized in GDPR, etc.) with the objective of gaining a mutual understanding of the actual challenges and needs that the main GDPR certification actors face today. The stakeholders discussed potential issues and how they might be resolved. The observations were aggregated and disseminated among the participants in order to be taken into account in the evolving work on the GDPR certification.
On the second day, participants covered issues arising when using the certification as a tool for data transfers to countries outside the European Economic Area (EEA). The resulting conclusions are to flow into the review of future schemes and define the scope of such reviews in this field. Another point on the agenda was the methods of cooperation between the EDPB expert groups, the national accreditation bodies and other external stakeholders for the GDPR certification schemes assessment, etc.
On the final day, the representatives of the data protection authorities discussed a predefined set of certification- and cooperation-related issues that have repeatedly come up amidst the EDPB expert groups, for example how to develop and encourage GDPR certification at the EEA level.
Currently the only European supervisory authority to have itself developed a certification scheme under the GDPR (“GDPR CARPA”), the CNPD was honoured to have been given the opportunity to organize this workshop and would like to thank all the participants for the time and effort they have invested.