The first EU-wide GDPR certification scheme – Europrivacy (TM/®) explained in 5 questions

Author info

On 10th October 2022, the European Data Protection Board (EDPB) approved Europrivacy, the first and currently only European Data Protection Seal under the General Data Protection Regulation (GDPR).

Timelex has been part of Europrivacy since the early days, with Timelex partner Geert Somers being one of the members of Europrivacy’s international board of experts. Given this long-standing involvement, Timelex is already an official Europrivacy partner, and is thus able to provide (prospective) clients with a first mover advantage in obtaining GDPR certification.

In this blogpost, we will cover some important topics regarding Europrivacy GDPR certification, namely the following:

  1. What is Europrivacy GDPR certification?
  2. What can be certified?
  3. How do you get certified?
    1. The preparatory stage
    2. The independent assessment and certification stage
    3. Surveillance stage
  4. What are the benefits of certification?
    1. Improved compliance and risk reduction
    2. Transparency and Trust
    3. Additional comfort regarding data transfers to third countries
  5. Why choose Timelex for your GDPR certification journey?

 

1. What is Europrivacy GDPR certification?

Europrivacy is a certification scheme, approved by the EDPB, meaning it is an official certification scheme as referred to in Article 42 GDPR. Certification schemes under the GDPR are an optional accountability mechanism, which controllers and processors can use to demonstrate compliance with the regulation by means of an independent third party assessment of their compliance efforts. While certification cannot guarantee full compliance or exclude the possibility of enforcement actions by supervisory authorities, it can be a very strong tool for controllers and processors to demonstrate both their commitment to compliance in general, as well as the specific compliance actions that have been taken towards that goal and create a strong image of trust and reliability.

Europrivacy is an EU-wide scheme, meaning it covers all EU countries, and takes into account both the GDPR and national data protection requirements in its criteria. Europrivacy is a hybrid certification scheme, which means that it combines the advantages of a universal certification scheme with the strengths of a specific scheme. Universal because it can be applied to any data processing, namely that it can add specific complementary contextual criteria to data processing situations that trigger additional GDPR requirements because of the type of (sensitive) data processing, the technologies involved or the domain in which the processing is carried out. Europrivacy can, for example, also cover emerging technologies such as AI, smart cities, IoT, and blockchain. Moreover, the certification mechanism can be extended to include complementary regulations and requirements, e.g. sectoral regulation or non-EU rules on data protection.

Certification is obtained for meeting all the Europrivacy criteria, which translate GDPR requirements, national data protection requirements and any additional legal requirements defined by the specific situation into specific criteria that must be shown to be fulfilled by the applicant who wishes to obtain certification. The Europrivacy certification scheme and its criteria have been approved by the EDPB and are maintained and updated by the European Centre for Certification and Privacy (ECCP) and its international board of experts. Compliance with those criteria is checked by an impartial party, the auditor. Certification is delivered by an independent and impartial party, the certification body, which has itself been accredited by the national accreditation body or the supervisory authority to deliver such certification decisions.

2. What can be certified?

The GDPR only allows for data processing activities to be certified, not organizations, products or services. For that reason, Europrivacy as a scheme allows controllers and processors to certify that a number of selected data processing activities are in compliance with the GDPR.

The processing activities that are selected for certification are called the Target of Evaluation or “ToE”. Europrivacy recommends to start with only a few key processing activities, and to gradually expand this. Once the process has been completed, it becomes more efficient and easier to certify further processing activities, as many elements can be re-used.

Despite the fact that services cannot be certified as such, controllers or processors may wish to certify all the data processing activities that constitute a given service, especially when this service is the core of their business.

On an organization level, controllers and processors may choose to certify all processing activities of a given business function, a given department or unit or may otherwise decide to certify some processing activities and not others, e.g. based on how visible these are, how many data subjects are involved, whether they involve special categories of data or sensitive data, whether they are B2C or B2B facing, whether they involve international data transfers, whether they involve many third parties etc.

Timelex can assist clients in determining the appropriate scope of certification, as well as in defining a certification plan of action and certification priority list.

3. How do you get certified?

Obtaining Europrivacy certification involves the following steps:

3.1 The preparatory stage

In order to obtain certification, you must:

  • Apply to the scheme and show your commitment to privacy and data protection;
  • Ensure that the data protection activities are compliant with the data protection regulation.
  • Gather all necessary documents and materials relating to the Target of Evaluation (ToE) in order to prove that it indeed meets the Europrivacy criteria, which translate the rules of the GDPR into measurable requirements.
  • Define a scope of the certification (target of evaluation or ToE) and enter into a contract with a certification body for the certification process, setting up a certification plan;

All processing activities must meet the Europrivacy core GDPR criteria (including e.g. transfers, relationship with third parties, compliance with principles relating to processing of personal data, etc.). This includes assessing whether all compliance documents are present and meet the standards of the GDPR. In this stage the national requirements are identified and compliance with them is assessed in a National Obligation Conformity Assessment Report (NOCAR).

Depending on the situation, e.g. for processing activities in certain domains, involving processing of special categories or sensitive data or involving emerging technologies, additional criteria will apply. In addition, this stage may involve complementary regulations and requirements, e.g. sectoral regulation or non-EU rules on data protection. During this process, non-conformities with the Europrivacy criteria must be identified and remedied.

It is strongly advisable to have an expert third party, such as Timelex, assist you in the preparation process. This has many benefits, but in particular helps to ensure that you have access to expert advice both in relation to both GDPR compliance as such, and in relation to the implementation of the specific Europrivacy criteria.

3.2 The independent assessment and certification stage

During this stage the certification body will assess the compliance of the Target of Evaluation with all the applicable criteria, checks, and controls. This will happen after the auditor has assessed the work done in the preparatory phase. If the auditor identifies non-conformities, there will be the opportunity to amend the documentation to address these non-conformities before the application passes to the certification body. Once the decision is made, the certificate of conformity is communicated and published online in the official registry of Europrivacy certificates.

3.3 The monitoring stage

The Europrivacy certificates are valid for three years and monitored through yearly surveillance audits, i.e. one audit within 12 months and another within 24 months after the certificate has been issued. At the end of the validity period (36 months), recertification is possible in order to obtain a new certificate for another three years, etc. Once certified, you are required to maintain and enhance your compliance, and address all regulatory changes that may occur.

4. What are the benefits of certification?

4.1 Improved compliance and risk reduction

First of all, Europrivacy certification will provide applicants with an opportunity to strengthen their actual GDPR compliance and to identify and reduce existing legal and financial risks linked to existing compliance gaps. This is the case because both the preparatory stage and the independent assessment stage provide an opportunity to re-evaluate your compliance position and to update and adapt any documents, policies or practices that may have become outdated or are not in accordance with the GDPR and best practice.

In order to get the most out of this exercise, it is important to have an external expert like Timelex assist you as an implementor. In particular, this may strengthen your compliance with regards to:

  • Transparency and information;
  • Having in place appropriate technical and organizational measures for accountability and security;
  • Complying with data protection by design and by default;
  • Demonstrating that you have in place sufficient guarantees and appropriate contractual documents in relation to third parties such as processors, sub-processors or joint controllers:
  • Demonstrating you have in place appropriate measures for transfers of personal data to third countries.

4.2 Transparency and Trust

Because Europrivacy involves the assessment by an independent third party of rigorous criteria confirmed by the EDPB as appropriate to measure compliance with the GDPR, obtaining Europrivacy certification will create not only transparency but will also build trust with individuals as data subjects, (potential) customers or (potential) consumers, and with business partners, governments and supervisory authorities. Moreover, Europrivacy certification also covers national requirements and may be used to create transparency and build trust also in relation to additional rules and regulations.

Creating transparency and building trust and confidence can offer a competitive advantage in the market by improving your reputation with potential clients, customers and business partners. Individuals tend to consider privacy and data protection aspects more than ever before and so do companies, in particular when they are selecting data processors or partners that may act as a joint controller with them. Certification may therefore be of particular importance to show potential business partners that you are committed to and have implemented appropriate measures towards GDPR compliance.

Moreover, certification allows you to demonstrate a concrete commitment towards data protection and respect for privacy, and enables you to distinguish yourself from competitors, building trust and inspiring potential clients and customers to deal with you in confidence.

4.3 Additional comfort regarding data transfers to third countries

A third main benefit of certification is that it may ease cross-border data transfers and provide additional comfort in this regard, strengthening your assessment. Certification of processing operations that include a data transfer will strengthen the compliance position of the parties involved by leveraging the strength of an independent third party assessment of the transfer against EDPB approved criteria. Europrivacy certification is not meant to make an otherwise unacceptable transfer legal under the GDPR, but can help demonstrate that appropriate safeguards are in place, taking into account the Schrems II ruling and existing EDPB guidance on the matter.

Certification may not only help EEA-based data exporters, but certification of the data importer in a third country may also be an additional element towards compliance, demonstrating that the importer respects the level of data protection required by the GDPR. Obtaining certification may in this case provide a competitive advantage in the European market, where companies may wish to consider whether their respective business partners hold a GDPR certificate for their processing operations, as part of meeting due diligence requirements under the GDPR, e.g. when selecting processors. In a similar vein, individuals may take into account the certification when choosing which product or services they can trust with their personal data.

5. Why choose Timelex for your GDPR certification journey?

Timelex is a long-term official Europrivacy partner and an active member of the Europrivacy International Board of Experts. Our team has vast experience organizing, managing, and coordinating clients’ international and national data protection compliance projects.

In addition, Timelex is an established expert on the subject matter at issue in Europrivacy certification: the GDPR. Not only does Timelex have a strong track record in supporting clients to become GDPR compliant, Timelex has also supported the European Commission in various GDPR-related tasks, such as the studies in preparation of the later adequacy findings in Japan and Korea, and a study supporting the EC’s work towards updating the standard contractual clauses in 2021.

Considering the challenges companies might face in order to meet Europrivacy requirements and certify their compliance, Timelex experts are ready to guide you in this journey. Combining thorough knowledge of data protection with a deep understanding of the Europrivacy criteria and procedure, Timelex would be glad to assist clients in their certification journey through:

  1. Supporting the selection of data processing activities to be certified;
  2. Providing access to the Europrivacy certification welcome pack, registration to the privacy pact, and providing support regarding the use of the Europrivacy community website, training materials etc.;
  3. Carrying out a readiness assessment of the selected data processing activities and identification of gaps;
  4. Remediating any identified non-conformities;
  5. Preparing the relevant documentation, including the national reports (NOCAR) needed, and the application form to apply for the initial certification;
  6. Supporting the interaction with the Certification body and auditors and elaborating a certification plan;
  7. Providing support in maintaining the certificate by addressing any regulatory changes, and preparing readiness assessments for the yearly surveillance audits.

Would you like to learn more about the Europrivacy certification scheme and what Timelex can do for you?

Contact us at europrivacy@timelex.eu and our team will be happy to provide you with more details about Europrivacy and the related Timelex services.

Europrivacy is an international trademark registered in several jurisdictions.