On 10th October 2022, the European Data Protection Board (EDPB) approved Europrivacy, the first and currently only European Data Protection Seal under the General Data Protection Regulation (GDPR).
Timelex has been part of Europrivacy since the early days, with Timelex partner Geert Somers being one of the members of Europrivacy’s international board of experts. Given this long-standing involvement, Timelex is already an official Europrivacy partner, and is thus able to provide (prospective) clients with a first mover advantage in obtaining GDPR certification.
In this blogpost, we will cover some important topics regarding Europrivacy GDPR certification, namely the following:
Europrivacy is a certification scheme, approved by the EDPB, meaning it is an official certification scheme as referred to in Article 42 GDPR. Certification schemes under the GDPR are an optional accountability mechanism, which controllers and processors can use to demonstrate compliance with the regulation by means of an independent third party assessment of their compliance efforts. While certification cannot guarantee full compliance or exclude the possibility of enforcement actions by supervisory authorities, it can be a very strong tool for controllers and processors to demonstrate both their commitment to compliance in general, as well as the specific compliance actions that have been taken towards that goal and create a strong image of trust and reliability.
Europrivacy is an EU-wide scheme, meaning it covers all EU countries, and takes into account both the GDPR and national data protection requirements in its criteria. Europrivacy is a hybrid certification scheme, which means that it combines the advantages of a universal certification scheme with the strengths of a specific scheme. Universal because it can be applied to any data processing, namely that it can add specific complementary contextual criteria to data processing situations that trigger additional GDPR requirements because of the type of (sensitive) data processing, the technologies involved or the domain in which the processing is carried out. Europrivacy can, for example, also cover emerging technologies such as AI, smart cities, IoT, and blockchain. Moreover, the certification mechanism can be extended to include complementary regulations and requirements, e.g. sectoral regulation or non-EU rules on data protection.
Certification is obtained for meeting all the Europrivacy criteria, which translate GDPR requirements, national data protection requirements and any additional legal requirements defined by the specific situation into specific criteria that must be shown to be fulfilled by the applicant who wishes to obtain certification. The Europrivacy certification scheme and its criteria have been approved by the EDPB and are maintained and updated by the European Centre for Certification and Privacy (ECCP) and its international board of experts. Compliance with those criteria is checked by an impartial party, the auditor. Certification is delivered by an independent and impartial party, the certification body, which has itself been accredited by the national accreditation body or the supervisory authority to deliver such certification decisions.
The GDPR only allows for data processing activities to be certified, not organizations, products or services. For that reason, Europrivacy as a scheme allows controllers and processors to certify that a number of selected data processing activities are in compliance with the GDPR.
The processing activities that are selected for certification are called the Target of Evaluation or “ToE”. Europrivacy recommends to start with only a few key processing activities, and to gradually expand this. Once the process has been completed, it becomes more efficient and easier to certify further processing activities, as many elements can be re-used.
Despite the fact that services cannot be certified as such, controllers or processors may wish to certify all the data processing activities that constitute a given service, especially when this service is the core of their business.
On an organization level, controllers and processors may choose to certify all processing activities of a given business function, a given department or unit or may otherwise decide to certify some processing activities and not others, e.g. based on how visible these are, how many data subjects are involved, whether they involve special categories of data or sensitive data, whether they are B2C or B2B facing, whether they involve international data transfers, whether they involve many third parties etc.
Timelex can assist clients in determining the appropriate scope of certification, as well as in defining a certification plan of action and certification priority list.
Obtaining Europrivacy certification involves the following steps:
In order to obtain certification, you must:
All processing activities must meet the Europrivacy core GDPR criteria (including e.g. transfers, relationship with third parties, compliance with principles relating to processing of personal data, etc.). This includes assessing whether all compliance documents are present and meet the standards of the GDPR. In this stage the national requirements are identified and compliance with them is assessed in a National Obligation Conformity Assessment Report (NOCAR).
Depending on the situation, e.g. for processing activities in certain domains, involving processing of special categories or sensitive data or involving emerging technologies, additional criteria will apply. In addition, this stage may involve complementary regulations and requirements, e.g. sectoral regulation or non-EU rules on data protection. During this process, non-conformities with the Europrivacy criteria must be identified and remedied.
It is strongly advisable to have an expert third party, such as Timelex, assist you in the preparation process. This has many benefits, but in particular helps to ensure that you have access to expert advice both in relation to both GDPR compliance as such, and in relation to the implementation of the specific Europrivacy criteria.
During this stage the certification body will assess the compliance of the Target of Evaluation with all the applicable criteria, checks, and controls. This will happen after the auditor has assessed the work done in the preparatory phase. If the auditor identifies non-conformities, there will be the opportunity to amend the documentation to address these non-conformities before the application passes to the certification body. Once the decision is made, the certificate of conformity is communicated and published online in the official registry of Europrivacy certificates.
The Europrivacy certificates are valid for three years and monitored through yearly surveillance audits, i.e. one audit within 12 months and another within 24 months after the certificate has been issued. At the end of the validity period (36 months), recertification is possible in order to obtain a new certificate for another three years, etc. Once certified, you are required to maintain and enhance your compliance, and address all regulatory changes that may occur.
First of all, Europrivacy certification will provide applicants with an opportunity to strengthen their actual GDPR compliance and to identify and reduce existing legal and financial risks linked to existing compliance gaps. This is the case because both the preparatory stage and the independent assessment stage provide an opportunity to re-evaluate your compliance position and to update and adapt any documents, policies or practices that may have become outdated or are not in accordance with the GDPR and best practice.
In order to get the most out of this exercise, it is important to have an external expert like Timelex assist you as an implementor. In particular, this may strengthen your compliance with regards to:
Because Europrivacy involves the assessment by an independent third party of rigorous criteria confirmed by the EDPB as appropriate to measure compliance with the GDPR, obtaining Europrivacy certification will create not only transparency but will also build trust with individuals as data subjects, (potential) customers or (potential) consumers, and with business partners, governments and supervisory authorities. Moreover, Europrivacy certification also covers national requirements and may be used to create transparency and build trust also in relation to additional rules and regulations.
Creating transparency and building trust and confidence can offer a competitive advantage in the market by improving your reputation with potential clients, customers and business partners. Individuals tend to consider privacy and data protection aspects more than ever before and so do companies, in particular when they are selecting data processors or partners that may act as a joint controller with them. Certification may therefore be of particular importance to show potential business partners that you are committed to and have implemented appropriate measures towards GDPR compliance.
Moreover, certification allows you to demonstrate a concrete commitment towards data protection and respect for privacy, and enables you to distinguish yourself from competitors, building trust and inspiring potential clients and customers to deal with you in confidence.
A third main benefit of certification is that it may ease cross-border data transfers and provide additional comfort in this regard, strengthening your assessment. Certification of processing operations that include a data transfer will strengthen the compliance position of the parties involved by leveraging the strength of an independent third party assessment of the transfer against EDPB approved criteria. Europrivacy certification is not meant to make an otherwise unacceptable transfer legal under the GDPR, but can help demonstrate that appropriate safeguards are in place, taking into account the Schrems II ruling and existing EDPB guidance on the matter.
Certification may not only help EEA-based data exporters, but certification of the data importer in a third country may also be an additional element towards compliance, demonstrating that the importer respects the level of data protection required by the GDPR. Obtaining certification may in this case provide a competitive advantage in the European market, where companies may wish to consider whether their respective business partners hold a GDPR certificate for their processing operations, as part of meeting due diligence requirements under the GDPR, e.g. when selecting processors. In a similar vein, individuals may take into account the certification when choosing which product or services they can trust with their personal data.
Timelex is a long-term official Europrivacy partner and an active member of the Europrivacy International Board of Experts. Our team has vast experience organizing, managing, and coordinating clients’ international and national data protection compliance projects.
In addition, Timelex is an established expert on the subject matter at issue in Europrivacy certification: the GDPR. Not only does Timelex have a strong track record in supporting clients to become GDPR compliant, Timelex has also supported the European Commission in various GDPR-related tasks, such as the studies in preparation of the later adequacy findings in Japan and Korea, and a study supporting the EC’s work towards updating the standard contractual clauses in 2021.
Considering the challenges companies might face in order to meet Europrivacy requirements and certify their compliance, Timelex experts are ready to guide you in this journey. Combining thorough knowledge of data protection with a deep understanding of the Europrivacy criteria and procedure, Timelex would be glad to assist clients in their certification journey through:
Would you like to learn more about the Europrivacy certification scheme and what Timelex can do for you?
Contact us at firstname.lastname@example.org and our team will be happy to provide you with more details about Europrivacy and the related Timelex services.
Europrivacy is an international trademark registered in several jurisdictions.