Europrivacy certification under GDPR

GDPR encourages certification for controllers and processors to allow them to demonstrate accountability for compliance measures in place under arts. 42 and 43 GDPR. Certification can be a valuable asset for organisations to:

• Identify and reduce legal and financial risk through gap analysis and remediation;
• Demonstrate conformity to GDPR;
• Build market trust and confidence;
• Provide a seal which is legally recognised in all EU Member States.

Certification is based on an audit, carried out by an impartial certification body, that examines whether selected processing activities benefit from effective organisational controls aligned to the requirements of GDPR. The assessment is conducted by reference to defined, objective and demonstrable criteria and set by the certification mechanism / seal provider, which have to be evidenced to the satisfaction of the certification body.

Until recently, such certification has only been available to controllers and processors established in the EU (the EDPB approved Europrivacy as the first European Data Protection Seal in 2022), but this has now been extended by the EDPB to allow Europrivacy to provide a seal to extend to:

• Controllers and processors established outside of the EU that are caught by the extra-territorial provisions of art. 3(2) GDPR; and
• Data importers that are not subject to GDPR to allow them to certify that the transfers of data they receive from EU controllers and processors have appropriate safeguards, in line with arts. 42 and 46 GDPR.

 

 

DLA is an accredited Europrivacy implementer

We can support organisations through the certification process in a number of ways, including:

• Project readiness, scoping and resource planning;
• Identifying processing activities for certification;
• Liaison with chosen certification body;
• Self-assessment against Europrivacy criteria and remediation;
• Formalities for certification application;
• Audit support, including evidence gathering, assessment and corrections;
• Post-audit compliance and surveillance review.

 

 

The global dimension

In addition, for non-EU organisations seeking to certify either as data controllers or processors caught by GDPR’s extraterritoriality provisions or as data importers, there is a requirement to consider the national laws in the third country. In particular, certification as a transfer tool pursuant to art. 46(2)(f) must be underpinned by a transfer impact assessment.

DLA has a standard methodology for conducting transfer impact assessments – our Transfer Tool – that allows organisations to logically and consistently assess the laws and practices in third countries; the level of safeguards in place; and the severity and likelihood of harm to data subjects resulting from the transfer. Such methodology includes a library of comparative assessments for over 70 jurisdictions, with deep knowledge garnered from the data privacy experts across our global platform.

If interested in certification please get in touch with our key contacts.