Adopted1

Opinion19/2024ontheEuroPrisecriteriaofcertification

regardingtheirapprovalbytheBoardasEuropeanData

ProtectionSealpursuanttoArticle42.5(GDPR)

Adoptedon16July2024

Adopted2

Contents

1.SUMMARYOFTHEFACTS 4

2.ASSESSMENT 5

2.1ScopeofthecertificationmechanismandTargetofEvaluation(ToE) 5

2.2Processingoperations 5

2.3Lawfulnessandprinciplesofdataprocessing 6

2.4Generalobligationsofcontrollersandprocessors 6

2.5Rightsofthedatasubjects 6

2.6Risksfortherightsandfreedom 6

2.7Technicalandorganisationalmeasuresguaranteeingprotection 6

2.8Criteriaforthepurposeofdemonstratingtheexistenceofappropriatesafeguardsfor

transferofpersonaldata 7

3.ADDITIONALCRITERIAFORAEUROPEANDATAPROTECTIONSEAL 7

CONCLUSIONS/RECOMMENDATIONS 7

FINALREMARKS 7

Adopted3

TheEuropeanDataProtectionBoard

HavingregardtoArticle63,Article64(2)andArticle42ofRegulation2016/679/EUoftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(hereinafter“GDPR”),

HavingregardtotheEuropeanEconomicArea(hereinafter“EEA”)AgreementandinparticulartoAnnexXIandProtocol37thereof,asamendedbytheDecisionoftheEEAjointCommitteeNo154/2018of6July201

81,

HavingregardtoArticles10and22ofitsRulesofProcedure.

(1)MemberStates,supervisoryauthorities,theEuropeanDataProtectionBoard(hereinafter“theEDPBortheBoard”)andtheEuropeanCommissionshallencourage,inparticularatUnionlevel,theestablishmentofdataprotectioncertificationmechanisms(hereinafter“certificationmechanisms”)andofdataprotectionsealsandmarks,forthepurposeofdemonstratingcompliancewiththeGDPRofprocessingoperationsbycontrollersandprocessors,takingintoaccountthespecificneedsofmicro,smallandmedium-sizedenterprises

.2

Inaddition,theestablishmentofcertificationmechanismscanenhancetransparencyandallowdatasubjectstoassessthelevelofdataprotectionofrelevantproductsandservices

.3

(2)Thecriteriaofcertificationformanintegralpartofacertificationmechanism.Consequently,theGDPRrequirestheapprovalofthecriteriaofanationalcertificationmechanismbythecompetentsupervisoryauthority(Articles42(5)and43(2)(b)GDPR),orinthecaseofaEuropeanDataProtectionSeal,bytheEDPB(Articles42(5)and70(1)(o)GDPR).

(3)Whenasupervisoryauthority(hereinafter“SA”)intendstoproposetheapprovalbytheEDPBofaEuropeandataprotectionsealpursuanttoarticle42(5)GDPR,theSAshouldstatetheintentionoftheschemeownertoofferthecertificationmechanisminallMemberStates.Inthiscase,themainroleoftheEDPBistoensuretheconsistentapplicationoftheGDPR,throughtheconsistencymechanismreferredtoinArticles63,64and65GDPR.Inthisframework,accordingtoArticle64(2)GDPR,theEDPBisapprovingthecriteriaofcertification.

(4)ThisOpinionaimstoensuretheconsistentapplicationoftheGDPR,includingbytheSAs,controllersandprocessorsinthelightofthecoreelements,whichcertificationmechanismshavetodevelop.Inparticular,theEDPBassessmentiscarriedoutonthebasis“Guidelines1/2018oncertificationandidentifyingcertificationcriteriainaccordancewithArticles42and43oftheRegulation”(hereinafterthe“Guidelines”)andtheirAddendumproviding“Guidanceoncertificationcriteriaassessment”(hereinafterthe“Addendum”),forwhichthepublicconsultationperiodexpiredon26May2021.

(5)Accordingly,theEDPBacknowledgesthateachcertificationmechanismshouldbeaddressedindividuallyandiswithoutprejudicetotheassessmentofanyothercertificationmechanism.

1Referencesto“MemberStates”madethroughoutthisOpinionshouldbeunderstoodasreferencesto“EEAMemberStates”.

2Article42(1)GDPR.

3Recital100GDPR.

Adopted4

(6)CertificationmechanismsshouldenablecontrollersandprocessorstodemonstratecompliancewiththeGDPR.Therefore,itscriteriashouldproperlyreflecttherequirementsandprinciplesconcerningtheprotectionofpersonaldatalaiddownintheGDPRandcontributetoitsconsistentapplication.

(7)Atthesametime,schemeownershouldensurethealignmentandconformityofthecertificationmechanismwithanyincludedorleveragedISOstandardsandcertificationpractices.

(8)Asaresult,certificationsshouldaddvaluetocontrollersandprocessorsbyhelpingtoimplementstandardizedandspecifiedorganizationalandtechnicalmeasuresthatdemonstrablyfacilitateandenhanceprocessingoperationcompliancetotheGDPR,takingaccountofsector-specificrequirements.

(9)TheEDPBwelcomestheeffortsmadebyschemeownerstoelaboratecertificationmechanisms,whicharepracticalandpotentiallycost-effectivetoolstoensuregreaterconsistencywiththeGDPRandfostertherighttoprivacyanddataprotectionofdatasubjectsbyincreasingtransparency.

(10)TheEDPBrecallsthatcertificationsarevoluntaryaccountabilitytools,andthattheadherencetoacertificationmechanismdoesnotreducetheresponsibilityofcontrollersorprocessorsforcompliancewiththeGDPRorpreventsupervisoryauthoritiesfromexercisingtheirtasksandpowerspursuanttotheGDPRandtherelevantnationallaws.

(11)InthisOpinion,theEDPBaddressesissues,suchasthescopeofthecriteria,theapplicabilityandrelevanceofthecriteriainallMemberStates.

(12)ThisOpinionfocussesonthecertificationcriteria.IncasetheEDPBrequireshighlevelinformationontheevaluationmethodsinordertobeabletothoroughlyassesstheauditabilityofthecriteriainthecontextofitsOpinionthereof,thelatterdoesnotencompassanykindofapprovalofsuchevaluationmethods.

(13)TheOpinionoftheEDPBshallbeadopted,pursuanttoArticle64(2)GDPRinconjunctionwithArticle10(2)oftheEDPBRulesofProcedure,withineightweeksfromthefirstworkingdayaftertheChairandthecompetentsupervisoryauthorityhavedecidedthatthefileiscomplete.UpondecisionoftheChair,thisperiodmaybeextendedbyafurthersixweekstakingintoaccountthecomplexityofthesubjectmatter.IftheopinionoftheEDPBconcludesthatthecriteriacannotbeapprovedatstake,theSAmayresubmitthecriteriaforapprovalwhentheconcernsexpressedintheinitialEDPBOpinion

areaddressed.

HASADOPTEDTHEFOLLOWINGOPINION:

1.SUMMARYOFTHEFACTS

1.InaccordancewithArticle42(5)GDPRandtheGuidelines,thedraft“EuroPriSeCriteriaCatalogueforthecertificationofprocessingoperationsbyprocessors(scope:EU)v1.5”(hereinafterthe“draftcertificationcriteria”,“certificationcriteria”or“criteria”)wasdraftedbyEuroPriSeCertGmbH(hereinafterthe“schemeowner”),alegalentityinGermany,andsubmittedtotheLandesbeauftragtefürDatenschutzundInformationsfreiheitNordrhein-Westfalen,thecompetentGermansupervisoryauthorityinNorthRhine-Westphalia(hereinafter“DE-NRWSA”).

2.TheSupervisoryAuthorityofGermany(hereinafterthe“DESA”)hassubmittedthedraftcertificationcriteriatotheEDPBforapprovalpursuanttoArticle64(2)GDPRon29April2024.Thedecisiononthecompletenessofthefilewastakenon29May2024.

Adopted5

3.TheEuroPrisecertificationmechanismisnotacertificationaccordingtoarticle46(2)(f)GDPRmeantforinternationaltransfersofpersonaldataandthereforedoesnotprovideappropriatesafeguardswithintheframeworkoftransfersofpersonaldatatothirdcountriesorinternationalorganisationsunderthetermsreferredtoinletter(f)ofArticle46(2).Indeed,anytransferofpersonaldatatoathirdcountryortoaninternationalorganisation,shalltakeplaceonlyiftheprovisionsofChapterVGDPR

arerespected.

2.ASSESSMENT

4.TheEDPBhasconducteditsassessmentofthecriteriaofcertificationfortheirapprovalunderArticles42(5)GDPRinlinewiththestructureforeseeninAnnex2totheGuidelines(hereinafter“Annex”)anditsAddendum.

2.1ScopeofthecertificationmechanismandTargetofEvaluation(ToE)

5.TheEuroPrisecertificationmechanismcontainscertificationcriteriaofanEU-widecertificationschemeforthecertificationofprocessingbyprocessors.Thesubjectofcertificationstowhichthecriteriacatalogueappliesareprocessingoperationsperformedinproducts,processesandservicesorwiththeaidof(alsoseveral)productsandservicesandwithregardtowhichthecertificationapplicantisactingasaprocessor.Themaincriteriaofthiscertificationmechanismaredividedintothethreesetsofrequirements,namely:fromalegalperspective(set1),fromatechnicalandorganisationalmeasuresperspective(set2),andfromtherightsofthedatasubjectsperspective(set3).

6.Certificationapplicantsunderthisschememustbeprocessors.ThisincludesprocessorswhoaredirectlyentrustedwiththeprocessingofpersonaldatabyacontrollerwithinthemeaningofArticle4(7)GDPR.However,certificationapplicantsmayalsobeprocessorswithinthemeaningofArticle28(2)and(4)GDPR(sub-processors).

7.Whenaprocessor-certifiedundertheEuroPrisecertificationscheme-usesasub-processor,thelattercannotclaimthatithasbeencertifiedunderEuroPrisecertificationscheme.Onlyprocessingoperationsperformedbytheinitialandcertifiedprocessorarecoveredbythecertificationinsuchacase.However,sub-processorscanalsoapplyforcertification,whichwouldresultinastand-aloneandindependentprocedure.

8.TheBoardnotesinthedocumentationrelatedtothescopeofthecertificationmechanismprovidedbytheDESAthattheEuroPriseschemeappliestoprocessorsestablishedintheEuropeanUnion(EU)orintheEuropeanEconomicArea(EEA).

2.2Processingoperations

9.Thescopeofthesecriteriaisnotlimitedtocertaintypesofprocessingoperations.ItisratherthemethodologyunderlyingaEuroPriseevaluation,whichallowsforcertificationofanyprocessingoperationsbyprocessors.Itis,therefore,auniversalmethodologicalapproachonthebasisofwhichalargenumberofverydifferentprocessingoperationscanbecertified.Hence,itisoffundamentalimportancethatthemethodologicalrequirementsareadheredto,asthisistheonlywaytoensureauniformapplicationofthecertificationcriteriaandacomparableleveloftestingacrossdifferentcertificationprocedures.Theaimistoensurecomparabilityandreproducibilityofthecertificationsissuedandtheirresults.

Adopted6

2.3Lawfulnessandprinciplesofdataprocessing

10.Thecriteriarequiretheexaminationofwhethertheprocessingoperationstobecertifiedcomplywiththeprinciplesofdataprotectionbydesignandbydefault(section1.5ofthecriteria),entailingtheparticipationoftheapplicantinassistingthecontrollerintheimplementationoftheseprinciples.ThisallowsassessingcompliancewithArticle25GDPR,readinconjunctionwithArticle5GDPR.WhilethereisnocriteriadirectlyaimingatcompliancewithArticle6GDPR-giventhefactthatthecontrollerisresponsibleforthelawfulnessoftheprocessing-thecriteriaaimatensuringthatprocessors-applicantsdesigntheprocessingoperationstobecertifiedinawaythatfacilitatescontrollers’implementationofArticle5GDPRdataprotectionprinciples,includingtheprincipleoflawfulnessofprocessing.

2.4Generalobligationsofcontrollersandprocessors

11.Thecriteriareflecttherelationshipbetweentheprocessorandthecontroller.Inparticular,thecriteriaprovidetheobligationoftheprocessortohaveinplaceatemplateofdataprocessingagreementwiththecontroller,whichincludesalltherequirementsofArticle28GDPR(section1.2ofthecriteria).

12.ThecriteriarequireapplicantstoappointaDataProtectionOfficer(DPO)accordingtoArticle37GDPRandprovideaproofoftheappointmentoftheDPO(e.g.certificateofappointment).ThecriteriacheckthattheDPOmeettherequirementsunderArticles37to39(set1,section1.1ofthecriteria).

13.ThecriteriacheckthecontentoftherecordsofprocessingofactivitiesinaccordancewithArticle30GDPR(set1,section1.1ofthecriteria).

2.5Rightsofthedatasubjects

14.Thecriteriaadequatelyaddressdatasubject’srighttoinformationinaccordancewithChapterIIIGDPRandrequirerespectivemeasurestobeputinplace.Thecriteriaalsorequiremeasuresputinplaceprovidingforthepossibilitytointerveneintheprocessingoperationinordertoguaranteedatasubjects’rightsandallowcorrections,erasureorrestrictions(set3ofthecriteria).

2.6Risksfortherightsandfreedom

15.ThecriteriarequiretheprocessortobeawareofthepossibleriskstotherightsandfreedomsofnaturalpersonsforthedataprocessinginvolvedintheToE.Iftheprocessingofpersonaldataislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons,severalcriteriaensurethattheapplicantdemonstratesthattherequirementsofArticle35GDPRarefulfilledinaccordancewithArticle35GDPR(section1.2.2ofthecriteria,requirementn°6,section1.3.2ofthecriteria,section1.3.3ofthecriteria,section

2.1.5.1

ofthecriteria,section

2.1.5.9

pfthecriteria).

2.7Technicalandorganisationalmeasuresguaranteeingprotection

16.Thecriteriarequiretheapplicationoftechnicalandorganisationalmeasuresprovidingforconfidentiality,integrityandavailabilityofprocessingoperations.ThecriteriaalsorequiretheapplicationoftechnicalmeasurestoimplementdataprotectionbydesignandbydefaultinaccordancewithArticle25andArticle32GDPR(section1.5ofthecriteria,section2.1ofthecriteria/otherdocuments).

17.ThecriteriarequiretheapplicationofmeasuretoensurethatpersonaldatabreachnotificationdutiesarecarriedoutinduetimeandscopeinaccordancewithArticle33GDPR(section1.2.2ofthecriteria,requirementn°6).

Adopted7

2.8Criteriaforthepurposeofdemonstratingtheexistenceofappropriatesafeguardsfortransferofpersonaldata

18.Thecriteriarequireidentifyingall