TheEuropeanDataProtectionBoard
HavingregardtoArticle63,Article64(2)andArticle42oftheRegulation2016/679/EUoftheEuropean ParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtothe processingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC (hereinafterGDPR),
HavingregardtotheEuropeanEconomicArea(hereinafterEEA)Agreementandinparticularto AnnexXIandProtocol37thereof,asamendedbytheDecisionoftheEEAjointCommitteeNo 154/2018of6July20181 ,
HavingregardtoArticles10and22ofitsRulesofProcedure.
(1) MemberStates,supervisoryauthorities,theEuropeanDataProtectionBoard(hereinaftertheEDPB ortheBoard)andtheEuropeanCommissionshallencourage,inparticularatUnionlevel,the establishmentofdataprotectioncertificationmechanisms(hereinaftercertificationmechanisms) andofdataprotectionsealsandmarks,forthepurposeofdemonstratingcompliancewiththeGDPR ofprocessingoperationsbycontrollersandprocessors,takingintoaccountthespecificneedsofmicro, smallandmedium-sizedenterprises.2Inaddition,theestablishmentofcertificationmechanismscan enhancetransparencyandallowdatasubjectstoassessthelevelofdataprotectionofrelevant productsandservices.3
(2) Thecriteriaofcertificationformanintegralpartofacertificationmechanism.Consequently,theGDPR requirestheapprovalofthecriteriaofanationalcertificationmechanismbythecompetent supervisoryauthority(Articles42(5)and43(2)(b)oftheGDPR),orinthecaseofaEuropeanData ProtectionSeal,bytheEDPB(Articles42(5)and70(1)(o)oftheGDPR).
(3) Whenasupervisoryauthority(hereinafterSA)intendstoproposetheapprovalbytheEDPBofa Europeandataprotectionsealpursuanttoarticle42(5)oftheGDPR,theSAshouldstatetheintention oftheschemeownertoofferthecertificationmechanisminallMemberStates.Inthiscase,themain roleoftheEDPBistoensuretheconsistentapplicationoftheGDPR,throughtheconsistency mechanismreferredtoinArticles63,64and65oftheGDPR.Inthisframework,accordingtoArticle 64(2)oftheGDPR,theEDPBisapprovingthecriteriaofcertification.
(4) ThisOpinionaimstoensuretheconsistentapplicationoftheGDPR,includingbytheSAs,controllers andprocessorsinthelightofthecoreelements,whichcertificationmechanismshavetodevelop.In particular,theEDPBassessmentiscarriedoutonthebasisGuidelines1/2018oncertificationand identifyingcertificationcriteriainaccordancewithArticles42and43oftheRegulation(hereinafter theGuidelines)andtheirAddendumprovidingGuidanceoncertificationcriteriaassessment (hereinaftertheAddendum),forwhichthepublicconsultationperiodexpiredon26May2021.
(5) Accordingly,theEDPBacknowledgesthateachcertificationmechanismshouldbeaddressed individuallyandiswithoutprejudicetotheassessmentofanyothercertificationmechanism.
1ReferencestoMemberStatesmadethroughoutthisOpinionshouldbeunderstoodasreferencestoEEA MemberStates.
2Article42(1)oftheGDPR.
3Recital100oftheGDPR.
(6) Certificationmechanismsshouldenablecontrollersandprocessorstodemonstratecompliancewith theGDPR.Therefore,itscriteriashouldproperlyreflecttherequirementsandprinciplesconcerning theprotectionofpersonaldatalaiddownintheGDPRandcontributetoitsconsistentapplication.
(7) Atthesametime,schemeownershouldensurethealignmentandconformityofthecertification mechanismwithanyincludedorleveragedISOstandardsandcertificationpractices.
(8) Asaresult,certificationsshouldaddvaluetocontrollersandprocessorsbyhelpingtoimplement standardizedandspecifiedorganizationalandtechnicalmeasuresthatdemonstrablyfacilitateand enhanceprocessingoperationcompliancetotheGDPR,takingaccountofsector-specific requirements.
(9) TheEDPBwelcomestheeffortsmadebyschemeownerstoelaboratecertificationmechanisms,which arepracticalandpotentiallycost-effectivetoolstoensuregreaterconsistencywiththeGDPRand fostertherighttoprivacyanddataprotectionofdatasubjectsbyincreasingtransparency.
(10)TheEDPBrecallsthatcertificationsarevoluntaryaccountabilitytools,andthattheadherencetoa certificationmechanismdoesnotreducetheresponsibilityofcontrollersorprocessorsforcompliance withtheGDPRorpreventsupervisoryauthoritiesfromexercisingtheirtasksandpowerspursuantto theGDPRandtherelevantnationallaws.
(11)InthisOpinion,theEDPBaddressesissues,suchasthescopeofthecriteria,theapplicabilityand relevanceofthecriteriainallMemberStates.
(12)ThisOpinionfocussesonthecertificationcriteria.IncasetheEDPBrequireshighlevelinformationon theevaluationmethodsinordertobeabletothoroughlyassesstheauditabilityofthecriteriainthe contextofitsOpinionthereof,thelatterdoesnotencompassanykindofapprovalofsuchevaluation methods.
(13)TheOpinionoftheEDPBshallbeadopted,pursuanttoArticle64(2)ofGDPRinconjunctionwith Article10(2)oftheEDPBRulesofProcedure,withineightweeksfromthefirstworkingdayafterthe Chairandthecompetentsupervisoryauthorityhavedecidedthatthefileiscomplete.Upondecision oftheChair,thisperiodmaybeextendedbyafurthersixweekstakingintoaccountthecomplexityof thesubjectmatter.IftheopinionoftheEDPBconcludesthatthecriteriacannotbeapprovedatstake, theSAmayresubmitthecriteriaforapprovalwhentheconcernsexpressedintheinitialEDPBOpinion areaddressed.
HASADOPTEDTHEFOLLOWINGOPINION:
SUMMARYOFTHEFACTS
1. InaccordancewithArticle42(5)oftheGDPRandtheGuidelines,theEuroprivacyv.60criteria (hereinafterthedraftcertificationcriteria,certificationcriteriaorcriteria)wasdraftedby EuropeanCenterforCertificationandPrivacy(hereinaftertheschemeowner).
2. TheSupervisoryAuthorityofLuxemburg(hereinaftertheLUSA)hassubmittedtheEuroprivacy criteriaofcertificationtotheEDPBforapprovalpursuanttoArticle64(2)GDPRon28September2022 Thedecisiononthecompletenessofthefilewastakenon28September2022.
3. TheEuroprivacycertificationmechanismisnotacertificationaccordingtoarticle46(2)(f)oftheGDPR meantforinternationaltransfersofpersonaldataandthereforedoesnotprovideappropriate safeguardswithintheframeworkoftransfersofpersonaldatatothirdcountriesorinternational
organisationsunderthetermsreferredtoinletter(f)ofArticle46(2).Indeed,anytransferofpersonal datatoathirdcountryortoaninternationalorganisation,shalltakeplaceonlyiftheprovisionsof ChapterVoftheGDPRarerespected.
2ASSESSMENT
4. TheEDPBhasconducteditsassessmentofthecriteriaofcertificationfortheirapprovalunder Articles42(5)oftheGDPRinlinewiththestructureforeseeninAnnex2totheGuidelines(hereinafter Annex)anditsAddendum
5. TheEDPBnotesthattheimplementingguidanceandsuggestedmeansofverificationofthe certificationmechanismprovidedbytheschemeownerarenotalwaysconsistentthroughoutthe catalogueofcriteria.Forinstance,sectionT.2.3.2requiresthatrules,policies,proceduresor mechanismsareinplacetodetectandreportintrusions(e.g.anintrusiondetectionsystemthat monitorsnetworktrafficforsuspiciousactivityandalertswhensuchactivityisdiscovered),whereas thesuggestedmeansofverificationrefertoinspectionandpenetrationtest(requiredinsection T.2.3.1).Althoughsuchinconsistenciesdonotfallunderthescopeofitsassessment,theEDPB underlinesthattheymaybeabarriertotheaccreditationofthecertificationbody,unlessrectifiedby theschemeowner.
2.1ScopeofthecertificationmechanismandTargetofEvaluation(ToE)
6. TheEuroprivacycertificationmechanismisageneralschemeinthatittargetsalargerangeofdifferent processingoperationsperformedbycontrollersandprocessorsfromvarioussectorsofactivityThe maincriteriaofthiscertificationmechanismarecomposedoftheCorecriteriaandoftheTOMs checksandcontrolsconcerningtechnologicalandorganisationalmeasuressetinplacetosecurethe processedpersonaldata.AsetoftheTOMschecksandcontrolscriteriaareonlyapplicableifthe TargetofEvaluation(hereinafterToE)processesspecialcategoriesofdata,criminaloffenserelated data,orpersonaldataofachild.
7. Additionally,thecriteriaalsoincludeComplementarycontextualchecksandcontrolsthataimto ensurethatthedataprocessinginvolvedintheToEcomplywithdomain-specificandtechnologyspecificrequirements.Aninformativematrixprovidedbytheschemeownerdescribestowhich categoriesofdataprocessingoperations,eachsetoftheComplementarycontextualchecksand controlscriteriaapply.
8. TheEDPBwelcomesgeneralschemesthatincludespecificcriteriasotomakethemscalableand applicabletospecificprocessingoperationsorsectorofactivity.However,theEDPBalsowishesto clarifythatinthecontextofageneralscheme,thecompletenessofthecriteriarelatingtospecific processingoperationsisnotrequiredandthuswasnotassessedinthecontextofthisOpinion.In addition,theEDPBrecallsthatwhenitpublishesdocumentsrelatedtospecificprocessingactivities, suchdocumentsshallbetakenintoaccountbytheschemeownerandtheaccreditedcertification bodies
9. ThecriteriaapplicabletothespecificationoftheToEaredefinedintherequirementsavailablein A.2.1.1.Thespecificrulesapplicabletotheprocesstobefollowedbytheapplicantandbythe certificationbodyinordertodefinetheToEarespecifiedbytheEuroprivacyscheme(10.2-PrecertificationActivities).
10. TheBoardnotesinthedocumentationrelatedtothescopeofthecertificationmechanismprovided byLUSAthattheEuroprivacyschemeappliestocontrollersandprocessorsestablishedinthe EuropeanUnion(EU)orintheEuropeanEconomicArea(EEA).Theapplicabilityofthecriteriais defineddependingontheroleandresponsibilitiesoftheapplicant
11. TheBoardnotesthatadatacontrollercansubmittotheEuroprivacycertificationprocessaToEwhich issubjecttojoint-controllership(criteriaA.2.7.1).IncasetheToEissubjecttojoint-controllership,the Boardwishestounderlinethatthetheaccreditedcertificationbodywillhavetocarefullyconductthe applicationprocesstoensurethattheToEismeaningfulandthattheapplicantisfullyresponsiblefor thecomplianceoftheToEwithallobligationsundertheGDPRthatthecertificationmechanismaims atdemonstrating.Asaconsequence,thearrangementconcludedbetweentheapplicantandtheother jointcontrollersinvolvedintheToEwithregardstotheirrespectiveresponsibilitiesforcompliance withtheobligationsundertheGDPR4mightmight dependingonthecontextoftheprocessing activitiesoftheToE-preventtheapplicanttofulfilthecriteriaofcertification.
12. TheBoardnotesthatthedataprocessingofgeneticdataisexcludedfromthescopeoftheEuroprivacy certificationmechanism.Asaconsequence,theassessmentofthecriteriaconductedbytheBoard doesnotcoverthesuitabilityofthecriteriaforToEthatwouldincludesuchdataprocessing.
2.2Processingoperations
13. Thecriteriaaddresstherelevantcomponentsoftheprocessingoperations(data,systems,and processing)withrespecttothegeneralscopeofthecertificationmechanism.Inparticular,thecriteria allowidentifyingspecialcategoriesofdataasdefinedinArticle9oftheGDPR(sectionG.2ofthe criteria-SpecialDataProcessing)
2.3Lawfulnessofprocessing
14. Thecriteriarequirecheckingthelawfulnessofthedataprocessingforeachindividualprocessing operationsintheToEandrequirecheckingtherequirementsofalegalbasisasdefinedinArticle6of theGDPR(sectionG.1ofthecriteria-LawfulnessofDataProcessing).
2.4Principlesofdataprocessing
15. ThecriteriaadequatelyaddressthedataprotectionprinciplespursuanttoArticle5oftheGDPR.In particular,thecriteriarequiretheapplicanttodemonstratethatthepersonaldataareadequate, relevantandlimitedtowhatisnecessaryinrelationtothepurposesforwhichtheyareprocessed (dataminimisation).
2.5Generalobligationsofcontrollersandprocessors
16. Thecriteriareflecttheobligationsofthecontrollerpursuanttoarticle24oftheGDPR(G.4-Data ControllerResponsibility)andrequiretheevaluationofprocessor-controllercontractualagreements
4Thedeterminationoftheirrespectiveresponsibilitiesmustinparticularregardtheexerciseofdatasubjects rightsandthedutiestoprovideinformation.Inadditiontothis,thedistributionofresponsibilitiesshouldcover othercontrollerobligationssuchasregardingthegeneraldataprotectionprinciples,legalbasis,security measures,databreachnotificationobligation,dataprotectionimpactassessments,theuseofprocessors,third countrytransfersandcontactswithdatasubjectsandsupervisoryauthorities(Guidelines07/2020onthe conceptsofcontrollerandprocessorintheGDPR)
inaccordancewithArticle28oftheGDPR(sectionG.5ofthecriteria-DataProcessorsorsub Processors)
17. ThecriteriarequireallapplicantstoappointaDataProtectionOfficer(DPO)eveninthecasewhere theapplicantisnotrequiredtodesignateaDPOaccordingtoArticle37oftheGDPR.Thecriteriacheck thattheDPOmeettherequirementsunderArticles37to39(sectionG.9ofthecriteria-Data ProtectionOfficer).
18. ThecriteriacheckthecontentoftherecordsofprocessingofactivitiesinaccordancewithArticle30 oftheGDPR(sectionG.5.3ofthecriteria-Recordsofprocessingactivities).
2.6Rightsofthedatasubjects
19. ThecriteriaadequatelyaddressdatasubjectsrighttoinformationinaccordancewithChapterIIIof theGDPRandrequirerespectivemeasurestobeputinplace.Thecriteriaalsorequiremeasuresput inplaceprovidingforthepossibilitytointerveneintheprocessingoperationinordertoguarantee datasubjectsrightsandallowcorrections,erasureorrestrictions(sectionG.3ofthecriteria-Rights oftheDataSubjects)
2.7Risksfortherightsandfreedom
20. Thecriteriarequireassessingtherisktotherightsandfreedomsofnaturalpersonsofthedata processinginvolvedintheToEinaccordancewithArticle35oftheGDPR(sectionG.8ofthecriteriaDataProtectionImpactAssessment)
2.8Technicalandorganisationalmeasuresguaranteeingprotection
21. Thecriteriarequiretheapplicationoftechnicalandorganisationalmeasuresprovidingfor confidentiality,integrityandavailabilityofprocessingoperations.Thecriteriaalsorequirethe applicationoftechnicalmeasurestoimplementdataprotectionbydesignandbydefaultin accordancewithArticle25andArticle32oftheGDPR(sectionG.6ofthecriteria-Securityof ProcessingandDataProtectionbyDesign,SectionT.1/T.2ofthecriteria CoreSecurity Requirements/ExtendedSecurityRequirements).
22. Thecriteriarequiretheapplicationofmeasuretoensurethatpersonaldatabreachnotificationduties arecarriedoutinduetimeandscopeinaccordancewithArticle33and34oftheGDPR(sectionG.7 ofthecriteria-ManagementofDataBreaches).
2.9Criteriaforthepurposeofdemonstratingtheexistenceofappropriatesafeguards fortransferofpersonaldata
23. Thecriteriarequireidentifyingallpersonaldatatransferstothirdcountriesandtointernational organizationsinvolvedintheToEandsubstantiatingthechoicemaderegardingthedatatransfer mechanismprovidingforappropriatesafeguards,pursuanttoChapterVoftheGDPR(sectionG.10of thecriteria-Transfersofpersonaldatatothirdcountriesorinternationalorganisations).
3.ADDITIONALCRITERIAFORAEUROPEANDATAPROTECTIONSEAL
24. AccordingtotheGuidelines,theassessmentshallincludethequestiononwhetherthecriteriaare abletotakeintoaccountMemberStatedataprotectionlawsorscenarios.SectionG.1.1.3ofthe criteriarequirestheapplicanttoprovidesuchanassessmentinaNationalObligationsCompliance AssessmentReport(NOCAR).TheBoardnotesthatsuchreportshallincludeanassessmentofthe
nationalobligationsapplicabletotheToEandwilldocumentthemeasurestakenbytheapplicantto complywithapplicablerulesand,possibly,ongoingcorrectiveactions.Theapplicantshallnotusethe keycomplementarynationalrequirementslistprovidedbytheschemeownerforeachcountryasan exhaustivelistofnationalobligationsrelevantfortheToE.Theindicativelistofminimal complementarychecksandcontrolsrequirementprovidedbytheschemeownerarenotcriteriaof certificationinthescopeofthisOpinion.
CONCLUSIONS/RECOMMENDATIONS
25. Bywayofconclusion,theEDPBconsidersthattheEuroprivacycriteriaofcertificationareconsistent withtheGDPRandapprovesthempursuanttothetaskoftheBoarddefinedinarticle70(1)(o)ofthe GDPR,resultinginacommoncertification(EuropeanDataProtectionSeal).
26. TheEDPBwillregistertheEuroprivacycertificationmechanisminthepublicregisterofcertification mechanismsanddataprotectionsealsandmarkspursuanttoArticle42(8)
FINALREMARKS
27. ThisOpinionisaddressedtotheLUSAandwillbemadepublicpursuanttoArticle64(5)(b)ofthe GDPR.
FortheEuropeanDataProtectionBoard
TheChair