gdpr-certification-scheme

GDPR Certification Mechanism per Articles 42-43

Overview

Articles 42-43 GDPR establish a voluntary data protection certification mechanism to demonstrate compliance with the Regulation. Art. 42(1) states that Member States, supervisory authorities, the Board, and the Commission shall encourage the establishment of data protection certification mechanisms, seals, and marks for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors.

GDPR certification is distinct from ISO 27701 certification or SOC 2 attestation in that it is specifically authorized by the GDPR itself and must be issued by an accredited certification body (Art. 42(5)) or by a competent supervisory authority (Art. 42(5)). The certification criteria must be approved by the competent supervisory authority pursuant to Art. 58(3)(f) or by the EDPB pursuant to Art. 63 for transnational certification schemes (the European Data Protection Seal — Art. 42(5)).

As of 2024, the GDPR certification ecosystem is maturing with the EDPB having adopted criteria for the first European Data Protection Seal (Europrivacy/EuroPrivacy) and several national supervisory authorities developing domestic certification schemes.

Sentinel Compliance Group is pursuing Europrivacy certification for its cloud-based SaaS processing operations, targeting certification by Q3 2025.

Legal Framework

Article 42 — Certification

Art. 42(1): Encouragement of data protection certification mechanisms, seals, and marks to demonstrate GDPR compliance.

Art. 42(2): Certification shall be voluntary, does not reduce the controller/processor's responsibility for GDPR compliance, and is without prejudice to supervisory authority tasks and powers.

Art. 42(3): Certification is issued by accredited certification bodies (Art. 43) or by the competent supervisory authority based on criteria approved by the competent supervisory authority or by the EDPB.

Art. 42(4): A controller or processor seeking certification shall provide the certification body or supervisory authority with all information and access necessary for the certification procedure.

Art. 42(5): Certification is issued for a maximum period of three years. It may be renewed under the same conditions if the relevant requirements continue to be met. Certification shall be withdrawn by the certification body or supervisory authority where the requirements are not or are no longer met.

Art. 42(6): The Board shall collate all certification mechanisms and seals in a register and make them publicly available.

Art. 42(7): Certification shall not affect the supervisory authority's task to monitor compliance or the exercise of its corrective powers under Art. 58.

Article 43 — Certification Bodies

Art. 43(1): Certification bodies shall have an appropriate level of expertise in data protection.

Art. 43(2): Accreditation of certification bodies shall be granted by:

Accreditation Path	Authority	Requirements
Option (a)	Competent supervisory authority alone	Based on criteria approved by that SA
Option (b)	National accreditation body (per Regulation (EC) No 765/2008)	In accordance with EN-ISO/IEC 17065/2012 AND additional requirements established by the competent supervisory authority

Art. 43(3): Accreditation is issued for a maximum period of five years, renewable.

Art. 43(4): Accredited certification bodies must provide reasons for granting or withdrawing certification to the competent supervisory authority.

Art. 43(6): Certification body requirements include:

• Independence and expertise in data protection
• Established procedures for issuing, periodic review, and withdrawal of certifications
• Procedures for handling complaints about infringements
• Demonstration that tasks and duties do not result in conflicts of interest
• Operating in a transparent manner

EDPB Guidelines 1/2018 on Certification and Identifying Certification Criteria

The EDPB adopted Guidelines 1/2018 providing guidance to supervisory authorities and certification bodies on certification criteria:

Key Principles:

1. Certification criteria must relate to processing operations, not to products, services, or systems per se
2. Criteria must be sufficiently precise to enable consistent assessment
3. Criteria must be rooted in GDPR provisions and not impose requirements beyond the GDPR
4. Criteria must enable meaningful evaluation (not merely self-declaration)
5. Certification must provide added value beyond general compliance claims

Certification Criteria Framework

EDPB Certification Criteria Categories

Based on EDPB Guidelines 1/2018, certification criteria must address relevant GDPR provisions. The following framework maps GDPR requirements to certification evaluation areas:

Category 1: Lawfulness, Fairness, and Transparency (Art. 5(1)(a))

Criterion ID	Assessment Area	Evidence Required
C1.1	Lawful basis identified and documented for each processing activity	Lawful basis register, LIA documentation
C1.2	Privacy notices meet Art. 13-14 requirements	Published privacy notices, version history
C1.3	Fair processing practices demonstrated	Processing documentation, data subject feedback
C1.4	No hidden or deceptive processing	Data flow documentation, technical audit results

Category 2: Purpose Limitation (Art. 5(1)(b))

Criterion ID	Assessment Area	Evidence Required
C2.1	Purposes specified, explicit, and legitimate	Purpose register, RoPA
C2.2	No incompatible further processing	Purpose limitation controls, change management records
C2.3	Compatibility assessment for further processing	Compatibility assessment documentation

Category 3: Data Minimisation (Art. 5(1)(c))

Criterion ID	Assessment Area	Evidence Required
C3.1	Data collected is adequate, relevant, and limited	Data element justification per purpose
C3.2	Minimisation practices embedded in system design	Design documentation, technical review
C3.3	Regular review of data necessity	Data review records, cleanup logs

Category 4: Accuracy (Art. 5(1)(d))

Criterion ID	Assessment Area	Evidence Required
C4.1	Data accuracy measures at collection	Validation controls, input rules
C4.2	Rectification mechanisms available	Correction process documentation, logs
C4.3	Periodic accuracy verification	Data quality review records

Category 5: Storage Limitation (Art. 5(1)(e))

Criterion ID	Assessment Area	Evidence Required
C5.1	Retention periods defined per purpose	Retention schedule
C5.2	Deletion/anonymisation executed upon expiry	Deletion logs, automation configuration
C5.3	Retention exceptions documented and time-bound	Exception register

Category 6: Integrity and Confidentiality (Art. 5(1)(f), Art. 32)

Criterion ID	Assessment Area	Evidence Required
C6.1	Encryption at rest (AES-256 or equivalent)	Configuration evidence
C6.2	Encryption in transit (TLS 1.2+)	Certificate inventory, scan results
C6.3	Access controls (RBAC, least privilege)	IAM configuration, access reviews
C6.4	Audit logging and monitoring	Log configuration, SIEM rules
C6.5	Vulnerability management	Pen test results, vulnerability scan reports
C6.6	Incident response procedures	IR plan, tabletop exercise results

Category 7: Accountability (Art. 5(2), Art. 24)

Criterion ID	Assessment Area	Evidence Required
C7.1	Privacy governance structure	Organizational chart, governance charter
C7.2	Records of processing activities	Complete RoPA
C7.3	Data protection impact assessments	DPIA register, completed DPIAs
C7.4	Data processing agreements	DPA inventory, executed agreements
C7.5	DPO appointment and independence	DPO designation, independence documentation
C7.6	Training and awareness program	Training records, content, completion rates

Category 8: Data Subject Rights (Art. 12-22)

Criterion ID	Assessment Area	Evidence Required
C8.1	DSAR intake and fulfillment procedures	Process documentation, DSAR logs
C8.2	Response within regulatory timeframes	Response time metrics
C8.3	Identity verification	Verification procedures, logs
C8.4	Right to erasure implementation	Deletion procedures, verification
C8.5	Right to data portability	Export functionality, format documentation
C8.6	Automated decision-making safeguards	Art. 22 compliance documentation

Category 9: International Transfers (Art. 44-49)

Criterion ID	Assessment Area	Evidence Required
C9.1	Transfer mechanisms in place	SCC execution, adequacy reliance
C9.2	Transfer impact assessments	TIA documentation
C9.3	Supplementary measures	Technical/organizational/contractual measures

Category 10: Breach Notification (Art. 33-34)

Criterion ID	Assessment Area	Evidence Required
C10.1	Breach detection capabilities	Detection tools, monitoring configuration
C10.2	72-hour DPA notification process	Notification procedures, templates
C10.3	Data subject notification process	Notification criteria, templates
C10.4	Breach documentation	Incident records, post-incident reviews

Europrivacy Certification Scheme

Overview

Europrivacy (formerly EuroPrivacy) is the first European Data Protection Seal recognized by the EDPB. It was developed under the European research program and is administered by the European Centre for Certification and Privacy (ECCP) in Luxembourg.

Europrivacy Characteristics

Aspect	Description
Legal Basis	Art. 42 GDPR; EDPB-approved certification criteria
Scope	Processing operations of controllers and processors
Validity	3 years (Art. 42(7)) with annual surveillance
Certification Body	Accredited certification bodies meeting Art. 43 and ISO/IEC 17065
Criteria Version	Europrivacy criteria v1.0 (approved by EDPB 2022)
Assessment Method	Documentation review + on-site audit + technical testing
Output	Europrivacy certificate and seal with public register entry

Europrivacy Certification Process

Phase 1: Application and Scoping (4-6 Weeks)

1. Organization selects an accredited Europrivacy certification body
2. Certification body conducts scoping exercise:
   • Define processing operations in scope
   • Identify applicable GDPR articles and Europrivacy criteria
   • Determine assessment effort (based on processing complexity, data volume, third-party ecosystem)
3. Certification body issues engagement proposal with timeline and fees
4. Organization signs certification agreement

Phase 2: Self-Assessment (6-8 Weeks)

1. Organization completes the Europrivacy self-assessment questionnaire
2. For each applicable criterion:
   • Describe the control or measure implemented
   • Identify the policy, procedure, or technical mechanism
   • Provide evidence of implementation and effectiveness
   • Identify any gaps and planned remediation
3. Organization compiles evidence portfolio

Phase 3: Documentation Review (4-6 Weeks)

1. Certification body reviews self-assessment and evidence
2. Identifies documentation gaps or insufficient evidence
3. Issues documentation review report with findings
4. Organization addresses findings and provides additional evidence

Phase 4: On-Site Audit (1-2 Weeks)

1. Certification body conducts on-site audit:
   • Interviews with DPO, CISO, business process owners, IT administrators
   • Document review and verification
   • Technical testing (access controls, encryption, deletion, DSAR fulfillment)
   • Process walkthroughs (DPIA process, breach response, consent management)
2. Audit team documents findings in audit report

Phase 5: Certification Decision (2-4 Weeks)

1. Certification body evaluates audit findings against certification criteria
2. Decision options:

Decision	Criteria
Certified	All applicable criteria met; no major nonconformities
Certified with conditions	Minor nonconformities identified; corrective action plan accepted; certification granted pending verification within 90 days
Not certified	Major nonconformities; organization may reapply after remediation

3. If certified: Certificate issued, seal granted, entry added to public register
4. Certificate includes: scope of certification, processing operations covered, certification body, issuance date, expiry date

Phase 6: Surveillance and Renewal

• Annual Surveillance: Certification body conducts annual surveillance assessment (lighter than initial certification) to verify continued conformity
• Material Changes: Organization must report material changes to the certification body within 30 days
• Renewal: Full reassessment before the 3-year expiry for renewal
• Withdrawal: Certification body may withdraw certification if organization no longer meets criteria (Art. 42(7))

Seal and Mark Usage Rules

Permitted Use

Use Case	Rules
Website	Display certification seal on privacy notice or trust center page with link to certificate details
Marketing Materials	Reference certification in brochures, presentations, and proposals with accurate scope description
Contracts	Reference certification in DPAs and customer agreements; certification does not replace contractual obligations
Product Packaging	Display seal only if the certified processing operation is integral to the product
Press Releases	Announce certification with accurate scope description; avoid implying total GDPR compliance

Prohibited Use

Prohibition	Rationale
Implying certification covers all processing activities when scope is limited	Misleading to data subjects and customers
Using the seal after certificate expiry or withdrawal	No longer authorized
Modifying the seal design (color, proportions, text)	Seal integrity must be maintained
Implying certification replaces regulatory compliance obligations	Art. 42(4): certification does not reduce controller/processor responsibility
Transferring the seal to non-certified entities (subsidiaries, partners)	Certification is entity- and scope-specific
Using the seal in a way that implies supervisory authority endorsement	Certification body issues certification, not the DPA

Seal Display Requirements

1. Seal must be accompanied by the certification scope in plain language
2. Certificate number must be displayed or linked
3. Certification body name must be identified
4. Certificate validity dates must be accessible (directly or via link)
5. Link to the public certificate register must be provided

Relationship to Other Frameworks

GDPR Certification vs. ISO 27701

Aspect	GDPR Certification (Art. 42)	ISO 27701
Legal basis	GDPR Art. 42-43	ISO/IEC 27701:2019
Scope	Processing operations	Privacy Information Management System
Criteria approval	Supervisory authority / EDPB	ISO standards body
Certification body	GDPR-accredited (Art. 43)	ISO 17021 / 17065 accredited
Regulatory weight	Explicit GDPR recognition (Art. 24, 28, 42, 83)	Recognized by practice; no express GDPR recognition
Duration	3 years	3 years
Transfer mechanism	Potentially under Art. 46(2)(f)	Not a transfer mechanism

GDPR Certification vs. Codes of Conduct

Aspect	GDPR Certification (Art. 42)	Codes of Conduct (Art. 40)
Governance	Certification body	Code owner + monitoring body
Assessment	External audit by certification body	Self-assessment + monitoring body oversight
Criteria	GDPR-rooted, SA/EDPB approved	Sector-specific, SA/EDPB approved
Flexibility	Standardized criteria per scheme	Sector-adapted rules
Transfer mechanism	Art. 46(2)(f)	Art. 46(2)(e)
Art. 83(2)(j) factor	Yes (mitigating for fines)	Yes (mitigating for fines)

EDPB Approved Certification Schemes

Europrivacy (European Data Protection Seal)

• Status: EDPB positive opinion adopted; criteria approved
• Scope: Controller and processor processing operations
• Administered by: European Centre for Certification and Privacy (ECCP)
• Certification Bodies: Multiple accredited bodies across EU Member States

National Certification Schemes

Country	DPA	Scheme Status	Notes
Luxembourg	CNPD	Europrivacy implementation	First to operationalize Europrivacy
France	CNIL	Developing national criteria	Focus on health data processing
Germany	DSK/LDAs	Criteria development underway	Sector-specific schemes under consideration
Spain	AEPD	Criteria published for public sector	AEPD Seal for public administration processing
Italy	Garante	Exploring certification for controller compliance	Early stage

Sentinel Compliance Group Certification Pursuit

• Target Scheme: Europrivacy certification
• Scope: Cloud SaaS platform customer data processing operations (controller activities: account management, billing, support; processor activities: customer data hosting, analytics)
• Certification Body: Selected ECCP-accredited body based in Luxembourg
• Timeline: Self-assessment completed Q4 2024; documentation review Q1 2025; on-site audit Q2 2025; certification decision expected Q3 2025
• Gap Assessment Findings: 8 of 42 applicable criteria required enhancement (primarily in automated decision-making documentation, data portability format standardization, and TIA documentation completeness)
• Investment: Estimated EUR 85,000 for initial certification (assessment fees, remediation, internal effort)
• Expected Benefits: Art. 28 compliance demonstration to customers, Art. 83(2)(j) fine mitigation factor, competitive differentiation in EU market, transfer mechanism under Art. 46(2)(f) upon Commission recognition