Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Paragraph 4.2.2  European Data Protection Seal criteria

39. The EDPB will co-ordinate the assessment process and approve the European Data Protection Seal criteria as required. The assessment will address such areas as: the criteria’s scope and the ability to serve as a common certification. Where the criteria are approved by the EDPB, the competent supervisory authority for the EU headquarters of the certification body is expected to handle complaints about the mechanism itself and inform the other supervisory authorities. This supervisory authority is also competent to take measures against the certification body. As the case may be, the competent supervisory authority will notify the other supervisory authorities and the EDPB.

40. Certification criteria addressing a common certification are subject to EU-wide demands and should provide a specific mechanism to cope with these demands. European certification mechanisms must be intended for use in all Member States. Based on Article 42(5) the mechanism for a European Data Protection Seal as well as its criteria needs to be customisable in a way as to take into account national sector specific regulations where applicable, e. g., for data processing in schools and shall envisage a European-wide application.

41. Example: An international School offering schooling to data subjects in the Union is based in Member State “A”. The school wishes to certify its online application process with an EU-wide certification scheme to earn a European Data Protection Seal. This school aims to apply for certification of processing operations offered by a certification body established in Member State “B” on the basis of a European Data Protection Seal. The Seal criteria designed and documented in the relevant mechanism must be able to take into account the regulations for schools applicable in Member State “A”. The criteria should also require the school’s online application process to provide information and take account of the applicable Member State data protection requirements that may differ in other Member States An example is sets of personal data to be submitted for application purposes, e.g. kindergarten grades or test results, differing retention periods, collection or processing of financial or biometric data, further processing limitations.

1 High level criteria for approval of a European Data Protection Seal mechanism include:

• a) criteria approved by the Board;

• b)application across jurisdictions reflecting where appropriate national legal requirements and sector specific regulations;

2 Harmonised criteria which are customisable to reflect national requirements;

• a) description of the certification mechanism specifying;

• b) the certification agreements, recognizing pan-European requirements;

• c) procedures to ensure and provide solutions for national variance and ensure the Seal helps demonstrate GDPR compliance; and

• d) the language of the reports addressing all affected supervisory authorities

42. The annex also contains advice on the European Data Protection Seal criteria.