As part of the implementation of certification mechanisms and data protection labels or marks, under Article 43(1) of the GDPR, Member States are required to ensure that the certification bodies issuing certification under Article 42(1) are accredited by the competent supervisory authority or the national accreditation body, or both.
Approval is granted by the CNPD under Article 15 of the Act of 1 August 2018 on the organisation of the National Data Protection Commission, which confers on the CNPD the power to approve the certification bodies referred to in Article 43(1) of the GDPR.
Purpose of accreditation
The value and purpose of accreditation is to attest, with the necessary authority, to the competence of certification bodies, thereby establishing confidence in the certification mechanism.
Becoming a CNPD-accredited certification body
In order to issue certifications in accordance with Article 43 of the GDPR, a body must obtain accreditation as a certification body issued by the CNPD.
Obtaining such accreditation is subject to compliance by the applicant body with the CNPD's accreditation criteria.
The CNPD must first carry out an audit before issuing accreditation. The CNPD can only issue approvals to organisations established on Luxembourg territory.
Role of a certification body
The role of a certification body is to issue, examine, renew and withdraw certifications on the basis of an approved certification mechanism and criteria.
A certification mechanism and certification criteria must exist for the certification body to be approved in accordance with Article 43 of the GDPR. The scope and type of certification criteria chosen significantly determine the certification procedures.
Requirements for accreditation of certification bodies
The CNPD has adopted two sets of criteria for the accreditation of certification bodies:
- Luxembourg accreditation requirements of certification bodies (art 43(1)(a)) – Set Alpha. The CNPD will send the list of accreditation criteria on request (email: certification@cnpd.lu). The accreditation criteria designated "Set Alpha" apply to the following certification scheme: GDPR-Carpa. Note: A specific feature of the "Set Alpha" accreditation criteria is the ability of the applicant certification body to issue ISAE 3000 assurance reports (Assurance Engagements Other than Audits or Reviews of Historical Financial Information) as defined by the International Auditing and Assurance Standards Board (IAASB).
- Luxembourg accreditation requirements of certification bodies (art 43(1)(a)) – Set Bêta. This set of accreditation criteria applies to certification bodies that wish to issue certificates for certification schemes other than GDPR-CARPA that do not require the issuance of ISAE 3000 reports mentioned above.
Approval process
Each certification body approval is linked to a specific certification scheme. If a body wishes to certify under more than one scheme, it must obtain specific approval for each certification scheme.
Approval of a certification body takes place in 3 stages:
- Stage 1: Analysis of the application for prior approval;
The purpose of this stage is for the CNPD to make an initial assessment of the applicant's maturity in terms of its ability to implement the accreditation criteria.
If the CNPD considers that the level of maturity is sufficient, it issues a favourable preliminary opinion and the application for accreditation will be examined in detail in stage 2.
If the level of maturity is deemed too low (e.g. incomplete dossier, requirements not addressed or only partially addressed, procedures and/or required documents not available), the accreditation procedure will stop at stage 1 and the application for accreditation will be rejected.
To this end, the CNPD stresses the need for the applicant organisation to submit its application file only when it considers that it has reached a high level of maturity with regard to the implementation of the accreditation requirements.
- Stage 2: Full audit of the application for approval)
The certification body's audit begins once the application for approval has been accepted. If necessary, an initial audit report will be issued, which may indicate points to be corrected. In this case, a deadline will be set to allow the applicant organisation to implement the appropriate measures.
If the initial audit report identifies major problems which it is estimated will take longer than 4 months to resolve, the CNPD will terminate the accreditation procedure. A new application for accreditation may be submitted by the applicant organisation once it has made the necessary corrections.
If the organisation already has CNPD accreditation but wishes to extend its scope to include another GDPR certification scheme, it may submit an application for accreditation for additional criteria.
- Stage 3: Issue of the approval
Once the applicant body has successfully taken into account all the appropriate measures, the CNPD will issue its accreditation.
The certification body is required to respect the rights and obligations arising from this. It is subject to an annual surveillance audit resulting in a surveillance audit report.
Certification body approval is valid for 5 years. If the certification body wishes to renew its approval for a further period of 5 years, a renewal audit will be required, resulting in a renewal audit report.
Practical details:
- Before submitting its application, the applicant organisation is invited to carry out a self-assessment of its capacity and maturity to meet the accreditation criteria. This phase is under the control of the applicant organisation itself; the CNPD does not intervene in this phase. We strongly advise organisations seeking accreditation to contact the CNPD before taking any further steps.
- The applicant organisation completes the certification body application form for the certification scheme of its choice and sends it to the CNPD.
- For the GDPR-CARPA certification scheme, the applicant organisation completes the following form: GDPR-CARPA Application form for accreditation
- For any other certification scheme, the applicant organisation shall complete the following form: Application form for accreditation
- On submitting its application, the applicant organisation pays the fee due. This amount depends on the stage of the approval procedure and is set by CNPD regulation N.7/2020 of 3 April 2020 setting the amount and methods of payment of fees under its authorisation and consultation powers.
Please find the procedure for the approval of certification bodies adopted by the National Commission at the link below:
Timeframe for obtaining accreditation
The time taken to obtain accreditation depends on the maturity of the applicant organisation in implementing the accreditation criteria. The CNPD endeavours to limit the procedure to a period of 6 months after the application for accreditation has been submitted.
Fees
For any certification body established on Luxembourg territory wishing to be accredited by the CNPD pursuant to Article 43 of the GDPR and on the basis of the accreditation criteria published by the CNPD, the amount of the fee to be paid to the CNPD depends on the stage of the accreditation procedure and is set out in CNPD Regulation No. 7/2020 of 3 April 2020 setting the amount and terms of payment of fees under its authorisation and consultation powers.