Partners' and Externals' Perspective
EUROPRIVACY, A DIGITAL BY DESIGN CERTIFICATION SCHEME FOR GDPR COMPLIANCE
Dr Sébastien Ziegler
Chairman of the Europrivacy International Board of Experts Europrivacy
Europrivacy is a certification scheme developed through the European Research Programme Horizon 2020 to assess data processing activities and certify their compliance with the European General Data Protection Regulation (GDPR) obligations and complementary data protection regulations. It is managed by the European Centre for Certification and Privacy (ECCP) in Luxembourg under the supervision of an International Board of Experts. Europrivacy has been brought by the Luxembourgish National Commission of Data Protection (CNPD) to the European Data Protection Board (EDPB) for endorsement under art. 42 GDPR. It is the first certification scheme under review for official recognition as European Seal. GDPR Certification – a powerful mechanism not exploited yet There are over 70 references to certification in the GDPR, including for assessing the compliance of data processors (Art. 28.5 GDPR), for cross-border data transfers (Art. 42.2, 46.2.f GDPR) or for assessing the adequacy of technical and organizational measures set in place (Art. 32.3 GDPR). As stated in the Regulation, 10 | SYNERGY Magazine
the purpose of certification is for “demonstrating compliance with this regulation of processing operations by controllers and processors” (Art. 42 GDPR) and “allowing data subjects to quickly assess the level of data protection of relevant products and services.” (Recital 100 GDPR). As a consequence, certification under the GDPR is subject to very specific requirements. For instance, it needs to be aligned with the evolution of the regulation, its related jurisprudence and soft law, including EDPB publications. That is why Europrivacy is supported by an International Board of Experts in charge of continuous monitoring of the evolution of the data protection related obligations for updating the scheme accordingly. In other words, Europrivacy is a living scheme in osmosis with the regulatory environment. Another requirement is to specifically focus on certification of data processing activities. Consequently, certification of management systems, such as ISO/IEC 27001 and 27701, is not eligible under art. 42 GDPR. The benefit of this approach is