Mervinskiy 502

Page 1

Adopted 1 Opinion28/2022ontheEuroprivacycriteriaofcertification regardingtheirapprovalbytheBoardasEuropeanData ProtectionSealpursuanttoArticle42.5(GDPR) Adoptedon10October2022

TheEuropeanDataProtectionBoard

HavingregardtoArticle63,Article64(2)andArticle42oftheRegulation2016/679/EUoftheEuropean ParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtothe processingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC (hereinafterGDPR),

HavingregardtotheEuropeanEconomicArea(hereinafterEEA)Agreementandinparticularto AnnexXIandProtocol37thereof,asamendedbytheDecisionoftheEEAjointCommitteeNo 154/2018of6July20181 ,

HavingregardtoArticles10and22ofitsRulesofProcedure.

(1) MemberStates,supervisoryauthorities,theEuropeanDataProtectionBoard(hereinaftertheEDPB ortheBoard)andtheEuropeanCommissionshallencourage,inparticularatUnionlevel,the establishmentofdataprotectioncertificationmechanisms(hereinaftercertificationmechanisms) andofdataprotectionsealsandmarks,forthepurposeofdemonstratingcompliancewiththeGDPR ofprocessingoperationsbycontrollersandprocessors,takingintoaccountthespecificneedsofmicro, smallandmedium-sizedenterprises.2Inaddition,theestablishmentofcertificationmechanismscan enhancetransparencyandallowdatasubjectstoassessthelevelofdataprotectionofrelevant productsandservices.3

(2) Thecriteriaofcertificationformanintegralpartofacertificationmechanism.Consequently,theGDPR requirestheapprovalofthecriteriaofanationalcertificationmechanismbythecompetent supervisoryauthority(Articles42(5)and43(2)(b)oftheGDPR),orinthecaseofaEuropeanData ProtectionSeal,bytheEDPB(Articles42(5)and70(1)(o)oftheGDPR).

(3) Whenasupervisoryauthority(hereinafterSA)intendstoproposetheapprovalbytheEDPBofa Europeandataprotectionsealpursuanttoarticle42(5)oftheGDPR,theSAshouldstatetheintention oftheschemeownertoofferthecertificationmechanisminallMemberStates.Inthiscase,themain roleoftheEDPBistoensuretheconsistentapplicationoftheGDPR,throughtheconsistency mechanismreferredtoinArticles63,64and65oftheGDPR.Inthisframework,accordingtoArticle 64(2)oftheGDPR,theEDPBisapprovingthecriteriaofcertification.

(4) ThisOpinionaimstoensuretheconsistentapplicationoftheGDPR,includingbytheSAs,controllers andprocessorsinthelightofthecoreelements,whichcertificationmechanismshavetodevelop.In particular,theEDPBassessmentiscarriedoutonthebasisGuidelines1/2018oncertificationand identifyingcertificationcriteriainaccordancewithArticles42and43oftheRegulation(hereinafter theGuidelines)andtheirAddendumprovidingGuidanceoncertificationcriteriaassessment (hereinaftertheAddendum),forwhichthepublicconsultationperiodexpiredon26May2021.

(5) Accordingly,theEDPBacknowledgesthateachcertificationmechanismshouldbeaddressed individuallyandiswithoutprejudicetotheassessmentofanyothercertificationmechanism.

1ReferencestoMemberStatesmadethroughoutthisOpinionshouldbeunderstoodasreferencestoEEA MemberStates.

2Article42(1)oftheGDPR.

3Recital100oftheGDPR.

Adopted 2

(6) Certificationmechanismsshouldenablecontrollersandprocessorstodemonstratecompliancewith theGDPR.Therefore,itscriteriashouldproperlyreflecttherequirementsandprinciplesconcerning theprotectionofpersonaldatalaiddownintheGDPRandcontributetoitsconsistentapplication.

(7) Atthesametime,schemeownershouldensurethealignmentandconformityofthecertification mechanismwithanyincludedorleveragedISOstandardsandcertificationpractices.

(8) Asaresult,certificationsshouldaddvaluetocontrollersandprocessorsbyhelpingtoimplement standardizedandspecifiedorganizationalandtechnicalmeasuresthatdemonstrablyfacilitateand enhanceprocessingoperationcompliancetotheGDPR,takingaccountofsector-specific requirements.

(9) TheEDPBwelcomestheeffortsmadebyschemeownerstoelaboratecertificationmechanisms,which arepracticalandpotentiallycost-effectivetoolstoensuregreaterconsistencywiththeGDPRand fostertherighttoprivacyanddataprotectionofdatasubjectsbyincreasingtransparency.

(10)TheEDPBrecallsthatcertificationsarevoluntaryaccountabilitytools,andthattheadherencetoa certificationmechanismdoesnotreducetheresponsibilityofcontrollersorprocessorsforcompliance withtheGDPRorpreventsupervisoryauthoritiesfromexercisingtheirtasksandpowerspursuantto theGDPRandtherelevantnationallaws.

(11)InthisOpinion,theEDPBaddressesissues,suchasthescopeofthecriteria,theapplicabilityand relevanceofthecriteriainallMemberStates.

(12)ThisOpinionfocussesonthecertificationcriteria.IncasetheEDPBrequireshighlevelinformationon theevaluationmethodsinordertobeabletothoroughlyassesstheauditabilityofthecriteriainthe contextofitsOpinionthereof,thelatterdoesnotencompassanykindofapprovalofsuchevaluation methods.

(13)TheOpinionoftheEDPBshallbeadopted,pursuanttoArticle64(2)ofGDPRinconjunctionwith Article10(2)oftheEDPBRulesofProcedure,withineightweeksfromthefirstworkingdayafterthe Chairandthecompetentsupervisoryauthorityhavedecidedthatthefileiscomplete.Upondecision oftheChair,thisperiodmaybeextendedbyafurthersixweekstakingintoaccountthecomplexityof thesubjectmatter.IftheopinionoftheEDPBconcludesthatthecriteriacannotbeapprovedatstake, theSAmayresubmitthecriteriaforapprovalwhentheconcernsexpressedintheinitialEDPBOpinion areaddressed.

HASADOPTEDTHEFOLLOWINGOPINION:

SUMMARYOFTHEFACTS

1. InaccordancewithArticle42(5)oftheGDPRandtheGuidelines,theEuroprivacyv.60criteria (hereinafterthedraftcertificationcriteria,certificationcriteriaorcriteria)wasdraftedby EuropeanCenterforCertificationandPrivacy(hereinaftertheschemeowner).

2. TheSupervisoryAuthorityofLuxemburg(hereinaftertheLUSA)hassubmittedtheEuroprivacy criteriaofcertificationtotheEDPBforapprovalpursuanttoArticle64(2)GDPRon28September2022 Thedecisiononthecompletenessofthefilewastakenon28September2022.

3. TheEuroprivacycertificationmechanismisnotacertificationaccordingtoarticle46(2)(f)oftheGDPR meantforinternationaltransfersofpersonaldataandthereforedoesnotprovideappropriate safeguardswithintheframeworkoftransfersofpersonaldatatothirdcountriesorinternational

Adopted 3

organisationsunderthetermsreferredtoinletter(f)ofArticle46(2).Indeed,anytransferofpersonal datatoathirdcountryortoaninternationalorganisation,shalltakeplaceonlyiftheprovisionsof ChapterVoftheGDPRarerespected.

2ASSESSMENT

4. TheEDPBhasconducteditsassessmentofthecriteriaofcertificationfortheirapprovalunder Articles42(5)oftheGDPRinlinewiththestructureforeseeninAnnex2totheGuidelines(hereinafter Annex)anditsAddendum

5. TheEDPBnotesthattheimplementingguidanceandsuggestedmeansofverificationofthe certificationmechanismprovidedbytheschemeownerarenotalwaysconsistentthroughoutthe catalogueofcriteria.Forinstance,sectionT.2.3.2requiresthatrules,policies,proceduresor mechanismsareinplacetodetectandreportintrusions(e.g.anintrusiondetectionsystemthat monitorsnetworktrafficforsuspiciousactivityandalertswhensuchactivityisdiscovered),whereas thesuggestedmeansofverificationrefertoinspectionandpenetrationtest(requiredinsection T.2.3.1).Althoughsuchinconsistenciesdonotfallunderthescopeofitsassessment,theEDPB underlinesthattheymaybeabarriertotheaccreditationofthecertificationbody,unlessrectifiedby theschemeowner.

2.1ScopeofthecertificationmechanismandTargetofEvaluation(ToE)

6. TheEuroprivacycertificationmechanismisageneralschemeinthatittargetsalargerangeofdifferent processingoperationsperformedbycontrollersandprocessorsfromvarioussectorsofactivityThe maincriteriaofthiscertificationmechanismarecomposedoftheCorecriteriaandoftheTOMs checksandcontrolsconcerningtechnologicalandorganisationalmeasuressetinplacetosecurethe processedpersonaldata.AsetoftheTOMschecksandcontrolscriteriaareonlyapplicableifthe TargetofEvaluation(hereinafterToE)processesspecialcategoriesofdata,criminaloffenserelated data,orpersonaldataofachild.

7. Additionally,thecriteriaalsoincludeComplementarycontextualchecksandcontrolsthataimto ensurethatthedataprocessinginvolvedintheToEcomplywithdomain-specificandtechnologyspecificrequirements.Aninformativematrixprovidedbytheschemeownerdescribestowhich categoriesofdataprocessingoperations,eachsetoftheComplementarycontextualchecksand controlscriteriaapply.

8. TheEDPBwelcomesgeneralschemesthatincludespecificcriteriasotomakethemscalableand applicabletospecificprocessingoperationsorsectorofactivity.However,theEDPBalsowishesto clarifythatinthecontextofageneralscheme,thecompletenessofthecriteriarelatingtospecific processingoperationsisnotrequiredandthuswasnotassessedinthecontextofthisOpinion.In addition,theEDPBrecallsthatwhenitpublishesdocumentsrelatedtospecificprocessingactivities, suchdocumentsshallbetakenintoaccountbytheschemeownerandtheaccreditedcertification bodies

9. ThecriteriaapplicabletothespecificationoftheToEaredefinedintherequirementsavailablein A.2.1.1.Thespecificrulesapplicabletotheprocesstobefollowedbytheapplicantandbythe certificationbodyinordertodefinetheToEarespecifiedbytheEuroprivacyscheme(10.2-PrecertificationActivities).

Adopted 4

10. TheBoardnotesinthedocumentationrelatedtothescopeofthecertificationmechanismprovided byLUSAthattheEuroprivacyschemeappliestocontrollersandprocessorsestablishedinthe EuropeanUnion(EU)orintheEuropeanEconomicArea(EEA).Theapplicabilityofthecriteriais defineddependingontheroleandresponsibilitiesoftheapplicant

11. TheBoardnotesthatadatacontrollercansubmittotheEuroprivacycertificationprocessaToEwhich issubjecttojoint-controllership(criteriaA.2.7.1).IncasetheToEissubjecttojoint-controllership,the Boardwishestounderlinethatthetheaccreditedcertificationbodywillhavetocarefullyconductthe applicationprocesstoensurethattheToEismeaningfulandthattheapplicantisfullyresponsiblefor thecomplianceoftheToEwithallobligationsundertheGDPRthatthecertificationmechanismaims atdemonstrating.Asaconsequence,thearrangementconcludedbetweentheapplicantandtheother jointcontrollersinvolvedintheToEwithregardstotheirrespectiveresponsibilitiesforcompliance withtheobligationsundertheGDPR4mightmight dependingonthecontextoftheprocessing activitiesoftheToE-preventtheapplicanttofulfilthecriteriaofcertification.

12. TheBoardnotesthatthedataprocessingofgeneticdataisexcludedfromthescopeoftheEuroprivacy certificationmechanism.Asaconsequence,theassessmentofthecriteriaconductedbytheBoard doesnotcoverthesuitabilityofthecriteriaforToEthatwouldincludesuchdataprocessing.

2.2Processingoperations

13. Thecriteriaaddresstherelevantcomponentsoftheprocessingoperations(data,systems,and processing)withrespecttothegeneralscopeofthecertificationmechanism.Inparticular,thecriteria allowidentifyingspecialcategoriesofdataasdefinedinArticle9oftheGDPR(sectionG.2ofthe criteria-SpecialDataProcessing)

2.3Lawfulnessofprocessing

14. Thecriteriarequirecheckingthelawfulnessofthedataprocessingforeachindividualprocessing operationsintheToEandrequirecheckingtherequirementsofalegalbasisasdefinedinArticle6of theGDPR(sectionG.1ofthecriteria-LawfulnessofDataProcessing).

2.4Principlesofdataprocessing

15. ThecriteriaadequatelyaddressthedataprotectionprinciplespursuanttoArticle5oftheGDPR.In particular,thecriteriarequiretheapplicanttodemonstratethatthepersonaldataareadequate, relevantandlimitedtowhatisnecessaryinrelationtothepurposesforwhichtheyareprocessed (dataminimisation).

2.5Generalobligationsofcontrollersandprocessors

16. Thecriteriareflecttheobligationsofthecontrollerpursuanttoarticle24oftheGDPR(G.4-Data ControllerResponsibility)andrequiretheevaluationofprocessor-controllercontractualagreements

4Thedeterminationoftheirrespectiveresponsibilitiesmustinparticularregardtheexerciseofdatasubjects rightsandthedutiestoprovideinformation.Inadditiontothis,thedistributionofresponsibilitiesshouldcover othercontrollerobligationssuchasregardingthegeneraldataprotectionprinciples,legalbasis,security measures,databreachnotificationobligation,dataprotectionimpactassessments,theuseofprocessors,third countrytransfersandcontactswithdatasubjectsandsupervisoryauthorities(Guidelines07/2020onthe conceptsofcontrollerandprocessorintheGDPR)

Adopted 5

inaccordancewithArticle28oftheGDPR(sectionG.5ofthecriteria-DataProcessorsorsub Processors)

17. ThecriteriarequireallapplicantstoappointaDataProtectionOfficer(DPO)eveninthecasewhere theapplicantisnotrequiredtodesignateaDPOaccordingtoArticle37oftheGDPR.Thecriteriacheck thattheDPOmeettherequirementsunderArticles37to39(sectionG.9ofthecriteria-Data ProtectionOfficer).

18. ThecriteriacheckthecontentoftherecordsofprocessingofactivitiesinaccordancewithArticle30 oftheGDPR(sectionG.5.3ofthecriteria-Recordsofprocessingactivities).

2.6Rightsofthedatasubjects

19. ThecriteriaadequatelyaddressdatasubjectsrighttoinformationinaccordancewithChapterIIIof theGDPRandrequirerespectivemeasurestobeputinplace.Thecriteriaalsorequiremeasuresput inplaceprovidingforthepossibilitytointerveneintheprocessingoperationinordertoguarantee datasubjectsrightsandallowcorrections,erasureorrestrictions(sectionG.3ofthecriteria-Rights oftheDataSubjects)

2.7Risksfortherightsandfreedom

20. Thecriteriarequireassessingtherisktotherightsandfreedomsofnaturalpersonsofthedata processinginvolvedintheToEinaccordancewithArticle35oftheGDPR(sectionG.8ofthecriteriaDataProtectionImpactAssessment)

2.8Technicalandorganisationalmeasuresguaranteeingprotection

21. Thecriteriarequiretheapplicationoftechnicalandorganisationalmeasuresprovidingfor confidentiality,integrityandavailabilityofprocessingoperations.Thecriteriaalsorequirethe applicationoftechnicalmeasurestoimplementdataprotectionbydesignandbydefaultin accordancewithArticle25andArticle32oftheGDPR(sectionG.6ofthecriteria-Securityof ProcessingandDataProtectionbyDesign,SectionT.1/T.2ofthecriteria CoreSecurity Requirements/ExtendedSecurityRequirements).

22. Thecriteriarequiretheapplicationofmeasuretoensurethatpersonaldatabreachnotificationduties arecarriedoutinduetimeandscopeinaccordancewithArticle33and34oftheGDPR(sectionG.7 ofthecriteria-ManagementofDataBreaches).

2.9Criteriaforthepurposeofdemonstratingtheexistenceofappropriatesafeguards fortransferofpersonaldata

23. Thecriteriarequireidentifyingallpersonaldatatransferstothirdcountriesandtointernational organizationsinvolvedintheToEandsubstantiatingthechoicemaderegardingthedatatransfer mechanismprovidingforappropriatesafeguards,pursuanttoChapterVoftheGDPR(sectionG.10of thecriteria-Transfersofpersonaldatatothirdcountriesorinternationalorganisations).

3.ADDITIONALCRITERIAFORAEUROPEANDATAPROTECTIONSEAL

24. AccordingtotheGuidelines,theassessmentshallincludethequestiononwhetherthecriteriaare abletotakeintoaccountMemberStatedataprotectionlawsorscenarios.SectionG.1.1.3ofthe criteriarequirestheapplicanttoprovidesuchanassessmentinaNationalObligationsCompliance AssessmentReport(NOCAR).TheBoardnotesthatsuchreportshallincludeanassessmentofthe

Adopted 6

nationalobligationsapplicabletotheToEandwilldocumentthemeasurestakenbytheapplicantto complywithapplicablerulesand,possibly,ongoingcorrectiveactions.Theapplicantshallnotusethe keycomplementarynationalrequirementslistprovidedbytheschemeownerforeachcountryasan exhaustivelistofnationalobligationsrelevantfortheToE.Theindicativelistofminimal complementarychecksandcontrolsrequirementprovidedbytheschemeownerarenotcriteriaof certificationinthescopeofthisOpinion.

CONCLUSIONS/RECOMMENDATIONS

25. Bywayofconclusion,theEDPBconsidersthattheEuroprivacycriteriaofcertificationareconsistent withtheGDPRandapprovesthempursuanttothetaskoftheBoarddefinedinarticle70(1)(o)ofthe GDPR,resultinginacommoncertification(EuropeanDataProtectionSeal).

26. TheEDPBwillregistertheEuroprivacycertificationmechanisminthepublicregisterofcertification mechanismsanddataprotectionsealsandmarkspursuanttoArticle42(8)

FINALREMARKS

27. ThisOpinionisaddressedtotheLUSAandwillbemadepublicpursuanttoArticle64(5)(b)ofthe GDPR.

FortheEuropeanDataProtectionBoard

TheChair

Adopted 7

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.