There are more than 70 references to certification, covering privacy by design, data transfers to processors, adequacy of technical and organizational measures, and international data transfers, in the EU General Data Protection Regulation.

The European Data Protection Seal is a GDPR-certification mechanism recognized by all EU and European Economic Area jurisdictions. It must satisfy the use criteria approved by the European Data Protection Board and must be delivered by a certification body accredited under Article 43.

In October 2022, the EDPB approved the Europrivacy criteria to serve as the official European Data Protection Seal under GDPR Article 42. It is the only set of criteria officially recognized by all EU and EEA data protection supervisory authorities, in 30 countries, for certifying GDPR compliance.

On 6 March, the European Accreditation approved the suitability of Europrivacy for European-level accreditation. The EA decision enables major certification bodies to complete their accreditation under GDPR Article 43 and start delivering European Data Protection Seals across Europe.

In parallel, the Europrivacy criteria extension is currently under review by the EDPB to serve as a mechanism for international data transfers under GDPR Article 46 for applicants based in third countries.

A powerful mechanism to reduce risks and value compliance

Regulatory compliance is mandatory, with noncompliance inevitably leading to legal, reputational and financial consequences. Much of the groundwork for certification is already completed during GDPR compliance efforts, but it often remains invisible. Certification presents a natural continuation to harvest the fruits of compliance efforts, transforming the latter into a source of value creation. The main work consists of documenting compliance with Europrivacy criteria, supported by online resources and an ecosystem of qualified service providers.

While achieving GDPR compliance may seem a Herculean task for data protection officers, with the risk of missing or misinterpreting obligations, the certification journey shifts part of this burden to third-party validators, offering significant benefits and competitive advantages with relatively limited effort required.

A European Data Protection Seal can be used by both data controllers and processors, hereafter referred to as "applicants." A seal exclusively applies to personal data processing activities, which provides three major advantages. First, it enables the applicant to focus its effort on priority data processing activities. Second, the applicant can go for certification without waiting for its other data processing to be ready too. Third, the scope of certification is far more reliable and trustworthy than a company-level certification of compliance. The process is simple, flexible and efficient.

Stage 1: Checking and documenting compliance

The applicants start by selecting their priority data processing activities and specifying the target of evaluation. Once done, they use the Europrivacy criteria to check and document the compliance of their evaluation target with the GDPR. It enables them to systematically check, identify and redress potential noncompliance. Moreover, it paves the way to a well-structured and homogeneous documentation of compliance, available in case of inspections or litigation. By doing so, they significantly reduce their legal, financial and reputational risks.

Stage 2: Certifying and valuing compliance

Once compliance is internally validated and documented, applicants can request offers from qualified certification bodies via the online Europrivacy form and select the most suitable one.

The certification body will check the compliance of the evaluation target with the same criteria used to document it. These criteria are specifically worded to minimize subjective interpretation, focusing on factual evidence to mitigate divergence. If any noncompliance is detected, it is outlined in a report, allowing for rectification before completing certification.

Once certification has been obtained, the applicant will notify their organization. Certification has two major impacts on an organization. First, as it is delivered by independent and qualified third parties accredited by independent authorities under GDPR Article 43, the certification builds trust and confidence with the various stakeholders. It reduces uncertainty for DPOs, boards of directors, shareholders, business-to-business partners and data subjects, as they can rely on external and formal validation from qualified professionals.

Second, it transforms compliance into a source of value creation. While compliance is typically perceived as a cost center, certification transforms it into a valuable asset. It can be utilized by sales and marketing teams as a competitive advantage and be communicated to market analysts to demonstrate the company's proactive risk reduction efforts. This acknowledges and rewards companies proactively investing in their compliance and safeguarding personal data. It also rewards the work of the DPO and highlights its contribution to company growth.

Stage 3: Maintaining and enjoying certification

Once compliance for the first data processing activities have been certified, the applicant can value the certification and use it as a benchmark for other data processing activities. It can also decide to extend the certification to other priority data processing activities and leverage the work already done for the first certification.

The applicant benefits from online resources made available by Europrivacy to help maintain compliance. They will also receive notifications in case requirements change to address regulatory evolution. Yearly surveillance audits enable them to maintain trust over time.

Other benefits to certification

Adopting internal rules, policies, contractual clauses and codes of conduct on paper is one thing, but ensuring they align with reality poses a distinct challenge, especially for data controllers. While standard contractual clauses may facilitate data transfers, they do not mitigate the risk of regulatory breaches by the receiving entity. Certification provides a reliable means to ensure effective compliance.

Cost-efficient risk reduction

Requiring data processors and data importers to certify their processing enables companies to reduce their risk surface at no cost. Article 28 of the GDPR requires that "Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." The controller remains liable for any wrongdoing by its processors. The certification is recognized as a means to demonstrate that "sufficient guarantees" are in place.

Supporting data protection by design and by default

Europrivacy contributes to addressing the data protection by design and by default obligation under GDPR Article 25, which states, "An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article." The use of recognized criteria enables review and proactive document compliance with the regulation.

Europrivacy underpins the data protection by design and default obligation with the use of recognized criteria that enables review and proactive documentation under the regulation, as demonstrated by the Article 25 quote above. More generally, Europrivacy reinforces compliance as part of a company's organization and culture.

Making the process user-friendly and scalable

A major research objective of Europrivacy was to enhance the efficiency, user-friendliness and scalability of data protection certification. The applicant is supported by a whole set of online resources, including guidelines, templates and tutorials. A dedicated online academy enables them to learn how to use Europrivacy. The process itself has been optimized to be efficient and easily scalable, with a step-by-step approach.

A welcome pack has been developed and is made available to applicants. It gives them access to a complete bundle of resources and services for three years, to support their first cycle of certification.

Global ecosystem of service and solution providers

Europrivacy is supported by a global ecosystem of official partners. Official partners have gone through a selection process based on demanding criteria, including reviews of their track records and expertise.

Conclusion 

The GDPR certification is a powerful tool to reduce risks, value compliance, and build trust and confidence through impartial third-party verifications. Compared to other mechanisms, it relies on effective independent controls of the data processing. It turns compliance into an asset and a source of competitive advantages. While the adoption of a common mechanism by 30 countries took time, the March EA decision opened the door to a powerful instrument and a new chapter for compliance.