Since the entry into force of the General Data Protection Regulation ("GDPR"), personal data protection compliance has become a central requirement for companies and public administrations active on the territory of the European Union ("EU"). It entails legal and financial risks that cannot be ignored by data controllers and processors.
Europrivacy is a certification scheme researched and developed through the European Research Programme to assess, document, certify and value compliance with the GDPR and complementary data protection regulations. It is maintained by the European Centre for Certification and Privacy ("ECCP") in Luxembourg under the supervision of an International Board of Experts in data protection.
Europrivacy has been developed on the basis of ISO/IEC 17065 and Article 42 of the GDPR “for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors”.
It is far more than a simple certification scheme. It provides a comprehensive set of online resources and services to effectively implement, enhance and demonstrate data protection compliance. It is supported by a community of qualified partners, an online academy, a community website, and online tools. It presents numerous benefits and advantages.
Scope and Applicability
Purpose: Europrivacy enables assessing, documenting, certifying and valuing compliance with the GDPR and complementary data protection regulations. In particular, it assists businesses and enterprises to:
- Identify and reduce legal and financial risks of non-compliance.
- Document compliance
- Assess and certify compliance
- Value and communicate compliance
- Maintain and enhance compliance
What: Thanks to its hybrid model, Europrivacy is applicable to almost all data processing activities, including to innovative technologies such as artificial intelligence, blockchain, e-health, and Internet of things. There is a number of specific exclusions, such as biomedical data.
While the Europrivacy methodology can be applied to diverse targets of evaluations, under Art. 42 GDPR, only data processing activities can be certified. As a consequence, for EU jurisdictions, it is not possible to certify a whole company at once or even its whole management system under the GDPR. The positive side of this element is that compliance can be progressively certified, starting with priority data processing activities and extending the certification step by step to more data processing.
Who: Europrivacy is eligible to both data controllers and data processors.
Where: Europrivacy can be used in any place to assess compliance with the GDPR. However, the deliverance of certificates is not applicable to jurisdictions that do not provide adequate and sufficient guarantees for the rights and freedoms of data subjects.
Extendibility: Europrivacy has been developed and designed to be easily extendable to complementary national data protection regulations, including non-EU regulations, as well as to domain and technology-specific regulations.
Validity: Certificates are valid for renewable periods of three years.
The certification procedure can be divided into the following major steps:
- Prepare and document your compliance with the Europrivacy criteria with the support of the Europrivacy Welcome Pack of resources and tools and qualified partners to reduce your risks.
- Certify your data processing compliance with a qualified Certification Body to value and communicate your compliance efforts. The certification body must be authorized by ECCP and have a valid accreditation with a competent national authority. The certificate is published on the official Europrivacy Registry of Certificates to enable its authentication by third party and to prevent forgery.
- Maintain and enhance your compliance thanks to online resources and tools, including continuous updates on compliance requirements, and yearly surveillance audits.
Europrivacy innovative certification model
Europrivacy provides an innovative hybrid model of certification that benefits from the advantages of a universal certification scheme complemented by domain-specific and technology-specific criteria, according to the nature of the Target of Evaluation.
GDPR Core Criteria: The certification process always starts with the Europrivacy list of GDPR Core Criteria, encompassing the various GDPR obligations, as explained below:
C - Complementary Checks and Controls: The Core Criteria are completed by Complementary Checks and Controls, to assess compliance with domain-specific and technology-specific obligations that may apply to the Target of Evaluation.
T - Technical and Organisational Measures: The Technical and Organisational Measures Checks and Controls aim at assessing the adequacy of the measures in place to secure the processed data. Except for high-risk data processing, it can be replaced by a valid ISO/IEC 27001 certificate encompassing the target of Evaluation.
S - Surveillance Audits Checklist: A few additional criteria are specified for the surveillance audits to assess and ensure continuous compliance over time.
N - National Obligations: Europrivacy supports compliance assessment with complementary national obligations through two instruments:
- National obligation profiles for each one of the European Economic Area Member States. These resources can be used to prepare a National Obligation Compliance Assessment Report (NOCAR).
- Europrivacy national criteria extension to assess and certify compliance of a Target of Evaluation with complementary national regulations on data protection. These extensions are optional and used on a voluntary basis to extend a Europrivacy certification towards the corresponding non-EU jurisdiction(s).