Europrivacy has been tailored to address the purpose of GDPR certification as stated in its Article 42, which states that GDPR certification mechanisms are established for the “purpose of demonstrating compliance with this regulation [the GDPR] of processing operations”.
Europrivacy certification intends to provide an independent, impartial, and reasonable assurance level of data processing compliance with the GDPR and, where applicable, with complementary data protection requirements, such as national regulations or domain specific requirements. In conformity with Recital 100 GDPR, Europrivacy aims at “allowing data subjects to quickly assess the level of data protection of relevant products and services.”
Europrivacy encompasses all GDPR obligations[1] whose non-compliance may impact the rights and freedoms of data subjects and/or constitute a risk of GDPR infringement for Applicants (Data Controllers or Processors) within the limits of certification applicability specified by the EDPB.
The Europrivacy certification scheme has been researched and developed to be applicable to a large variety of data processing activities. It leverages an innovative model of a hybrid certification scheme that combines the advantage of universal certification schemes and specialised certification schemes (see more details).
Europrivacy uses dedicated mechanisms to efficiently and homogeneously assess GDPR compliance, while addressing specific obligations and risks for data subjects:
- Additional criteria are required for any data processing that entails high risks for the data subjects;
- Complementary criteria are required to address technology-specific risks for the data subjects, such as data processing using artificial intelligence, Blockchain, Internet of Things, etc;
- Complementary criteria are required to address domain-specific risks for the data subjects, such as data processing related to the work environment, smart cities, financial services, health, etc.
Europrivacy also takes into account the complementary national obligations for data protection applicable to the data processing to be certified.
However, there are several limits to the scope of data processing that can be certified under Europrivacy:
- The Applicant must have a designated Data Protection Officer (DPO), even if the GDPR does not necessarily require it (Art. 37 GDPR).
- The Applicant must have a registry of data processing activities encompassing the Target of Evaluation, even if the GDPR does not necessarily require it (Art. 30.5 GDPR).
- The Target of Evaluation must go through a preliminary verification of applicability by the certification body. It requires to comply with 12 requirements, including the assessment and validation of the applicability of the certification scheme to the data processing (Criteria A.2.1.4) and the adequacy of the certification body’s expertise to assess the Target of Evaluation (Criteria A.2.1.5).
If the Certification Body has any doubt about the applicability of the certification scheme to a Target of Evaluation, it shall not deliver the certification. Specialised support service is also made available to the Certification Bodies in case of doubt on the applicability and use of the Certification Scheme.
[1] As specified in Articles 5 to 49 GDPR.