Europrivacy has developed an innovative hybrid model of certification scheme that combines the advantage of a universal certification scheme with a comprehensive series of criteria. These criteria are applicable to any data processing with the strength of specialised certification schemes by adding complementary contextual criteria that enable to assess technology and domain specific risks for the data subjects (more details).
Europrivacy also distinguishes High Risk Data Processing from regular ones. High Risk Data Processing is defined as any data processing that:
- processes special categories of personal data or data relating to criminal convictions, or;
- specifically targets personal data of minors of age, or;
- is likely to result in a high risk for the rights and freedom of natural persons.[1]
Whenever a Target of Evaluation includes High Risk Data Processing, complementary criteria (labelled as level B) must be additionally applied and assessed by the auditor in order to take into account the higher level of risk.
In all cases, the applicability of criteria is not decided by the auditor but determined by the Target of Evaluation.
[1] The Certification Body shall take into account the EDPB guidelines on Data Protection impact assessments High risk processing.
