The numerous exchanges between the CNPD and companies during the GDPR preparation phase have shown that the latter are particularly interested in certification under the GDPR.
Convinced of the added value that certification can offer, the CNPD has taken a particularly proactive approach by developing a certification framework based on the International Standard on Assurance Engagements (ISAE) compliance assessment framework.
The CNPD has therefore proposed the GDPR-CARPA scheme, which was submitted to an initial public consultation in June 2018 and then, after incorporating the feedback received at national and European level, to a second consultation in May 2021.
The CNPD has based its work on two pillars:
- The first pillar concerns the certification criteria to be met by an organisation wishing to have some of its data processing certified.
- The second pillar concerns the accreditation criteria to be met by an organisation wishing to act as a certification body.
In this context, as lead rapporteur on the European Data Protection Committee, the CNPD contributed to
- the implementation of procedures for the adoption of accreditation criteria for certification bodies,
- the adoption of certification criteria and
- the adoption of a European certification label.
The CNPD is also the first data protection authority to submit its accreditation criteria to the EDPB for an opinion by the end of 2020. It is also the first data protection authority to submit certification criteria (GDPR-CARPA) to the EDPB for its opinion at the end of 2021.
The GDPR-CARPA certification criteria were adopted by the CNPD on 13 May 2022.
GDPR-CARPA: the first and only certification scheme under the RGPD
To date, the CNPD is the only European supervisory authority to have itself developed a certification scheme under the GDPR. As the entity that developed the certification criteria, the CNPD is also the owner of the certification scheme.
The CNPD's numerous exchanges with audit stakeholders since the GDPR came into force in 2018 have helped to determine the interest and type of certification under the GDPR that could be useful for the Luxembourg ecosystem. In consultation with these stakeholders, it developed a first version of its certification scheme. The certification criteria were then examined by its European counterparts as part of the European consistency mechanism and were the subject of an opinion issued by the European Data Protection Committee (EDPS).
At European level, the CNPD has played a leading role in advancing the work of the EDPS in the field of certification, in particular as rapporteur for the guidelines or to enable the EDPS to issue formal opinions on this new subject.
Unique feature of GDPR-CARPA certification
In Luxembourg, the CNPD also has the role of approving GDPR certification bodies. The accreditation criteria for certification bodies, linked to GDPR-CARPA certification, developed by the CNPD, are based on the ISAE 3000 standard (audit), ISCQ1 (quality control of audit bodies) and the ISO 17065 standard (accreditation of certification bodies). These accreditation criteria provide a framework for the work carried out by the certification body and the audit professional.
The innovative and unique nature of this CNPD certification scheme is that it is based on an ISAE 3000 Type 2 report, which provides an opinion on the proper implementation of the control system over time, while at the same time engaging the formal responsibility of the auditor. This guarantees a high level of rigour, which is a decisive factor in ensuring that stakeholders, and above all data subjects, feel confident about the processing of their personal data covered by the certification.
Scope of GDPR-CARPA certification
GDPR-CARPA certification is designed to provide controllers and processors with a high level of compliance with the GDPR and an assurance that they apply technical and organisational measures to comply with their GDPR obligations for their certified processing operations. It is an element that enables controllers and processors to demonstrate the compliance of these certified processing operations with the GDPR.
The aim of GDPR-CARPA is to support controllers and processors in their obligation to implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing within its scope is carried out in accordance with their responsibility obligation under the GDPR.
Non-sector criteria
The GDPR-CARPA certification criteria are designed to be sufficiently flexible to be relevant to a range of processing operations across multiple sectors. Each entity can define and implement the measures best suited to its specific situation and sector to comply with the criteria.
Limitation of the scope of the certification scheme
- Although elements of information security have been integrated into the scheme, they do not constitute the focus of this certification mechanism. GDPR-CARPA does not certify the security of processing within its scope, but rather focuses on the responsibility of controllers/sub-processors to implement a governance system that enables them to define and implement information security management measures for the processing activity within its scope. In order to have assurance on the information security measures implemented, other appropriate information security certifications and frameworks should be considered.
- Only data controllers and processors established in Luxembourg, under the supervision of the CNPD, may apply for GDPR-CARPA certification.
Exclusion from the scope of certification
GDPR-CARPA is not suitable:
- for certifying the processing of personal data specifically targeting minors under the age of 16;
- for certifying processing activities in the context of joint control;
- for processing activities under Article 10 of the GDPR;
- for entities that have not appointed a DPO (Article 37 of the GDPR). It should be noted that entities are free to appoint a DPO, even in cases where they are not legally obliged to do so.
What are the main steps involved in obtaining GDPR-CARPA certification?
Certification criteria: general rules to be followed by organisations applying for GDPR-CARPA certification
The GDPR-CARPA certification criteria contain the rules to be followed by entities applying for CARPA certification. These entities must ensure that their internal measures are designed, implemented and operated in such a way as to enable them to meet the requirements set out in these certification criteria. During their certification audit, the certification bodies will check whether the design, implementation and operation of these measures comply with the requirements defined by the certification criteria.
The certification body structures its assessment tasks as follows:
- Design and implementation: The auditor will examine the documented design/description of a measure (e.g. in the form of a procedure) and whether it will operate in theory as required by the certification criteria: The auditor will attempt to determine whether it is designed to comply with the certification criteria.
- Operational effectiveness: Having examined the design and implementation of a measure, the auditor will test the operational effectiveness of that measure by checking whether the control or measure works in practice as it should and as documented, through observation, evaluation, sampling, interviews, interaction, for example with an interface, etc.
If a criterion is not applicable to a specific context within the entity, the certification body will document this by stating the reasons why it is not applicable.
In addition, the official guidelines published by the EDPB can be used to support a better understanding of the requirements of the GDPR and to provide guidance with regard to the implementation of these GDPR requirements. These guidelines can, for example, support the design and practical implementation of organisational and technical measures, but it should be noted that in the context of GDPR-CARPA certification, entities must strictly comply with the certification criteria in order to obtain certification.
Organisation of the GDPR-CARPA certification criteria
The criteria are organised into 3 sections:
Section I:
- Applies to entities acting as data controllers and data processors
- Contains criteria relating to data protection governance
Section II:
- Applies to entities acting as controllers
- Covering data protection principles, data subject rights and governance criteria related to security of processing
Section III:
- Applies to entities acting as processors
- Containing mainly criteria for contractual obligations (with the controller), governance in relation to security of processing, outsourcing, etc.
How long is a GDPR-CARPA certificate valid for?
A certificate is valid for 3 years, subject to a successful annual full audit.
Which certification bodies can issue a GDPR-CARPA certificate?
GDPR-CARPA certification can only be awarded by certification bodies approved by the CNPD. The list of approved certification bodies will be published on the CNPD website.
Responsibility of an organisation that has obtained a GDPR-CARPA certificate
The GDPR-CARPA certification criteria and the ISAE 3000 assurance report have been designed to support a certification scheme as described in Article 42 of the GDPR. Under the GDPR, it is stated that entities (controllers and processors) may rely on certification to demonstrate compliance with certain elements of the GDPR. However, it is also stated that certification under this Article (42) does not reduce the responsibility of the controller or processor for compliance with the GDPR and is without prejudice to the tasks and powers of the competent supervisory authorities under Article 55 or 56.