The GDPR has established the framework for the development of certification criteria. These must be based on the principles and rules of the GDPR. The certification procedure, for its part, must follow the fundamental requirements as defined in Articles 42 and 43 of the Regulation.
When drawing up the criteria, the focus should be on the verifiability, importance and relevance of the certification criteria for demonstrating compliance with the Regulation.
Certification criteria should be formulated in such a way that they are clear and understandable and can be applied in practice.
When the certification criteria are drawn up, the following compliance aspects are taken into account, depending on the type(s) of processing involved:
- lawfulness of processing (art. 6)
- the principles of data processing (art. 5)
- the rights conferred on data subjects (art. 12 to 23)
- the obligation to notify data breaches (art. 33)
- the obligation to protect data by design and by default (art. 25)
- whether a data protection impact assessment has been carried out (art. 35)
- the technical and organisational measures put in place (art. 32).
The extent to which these considerations are taken into account in the criteria may vary depending on the scope of the certification, its perimeter, the types of processing operation(s) and the sector of activity to which the processing applies.
What can be certified under the GDPR?
The European Data Protection Committee considers that the GDPR offers very broad possibilities in terms of what can be certified, provided that the focus is on demonstrating compliance with the Regulation by controllers and processors in relation to their processing operations (Article 42(1)).
As a result, certification under the GDPR is not possible for
- products or services if the notion of controller or processor is absent from them
- an organisation or a data protection management system alone, as such certification would not relate to processing operations.
When assessing a processing operation, the following three basic elements should be taken into account, as appropriate:
- personal data (material scope of the GDPR);
- technical systems: the infrastructure, such as hardware and software, used to process personal data; and
- processes and procedures related to the processing operation(s).
These three fundamental elements are relevant to the design of certification procedures and criteria. The extent to which they are taken into account may vary depending on the purpose of the certification. For example, in some cases, certain components may be ignored if they are not deemed relevant to the purpose of certification.
The EDPB Guidelines 1/2018 explain in detail which components can be certified under the GDPR.
Fees
The application for CNPD approval of certification criteria is subject to payment of a fee by the owner of the certification scheme to the CNPD. The amount of this fee depends on the stage of the approval procedure and is set out in CNPD Regulation No. 7/2020 of 3 April 2020 setting the amount and methods of payment of fees under its authorisation and consultation powers.
If an organisation wishes to develop a certification scheme and submit it to the CNPD for adoption, it is advisable to contact the supervisory authority as soon as the project is launched.