Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

SECTION 5  THE DEVELOPMENT OF CERTIFICATION CRITERIA

46. The GDPR established the framework for the development of certification criteria. Whereas fundamental requirements concerning the procedure of certification are addressed in Articles 42 and 43 while also providing essential criteria for certification procedures, the basis for certification criteria must be derived from the GDPR principles and rules and help to provide assurance that they are fulfilled.

47. The development of certification criteria should focus on verifiability, significance, and suitability of certification criteria to demonstrate compliance with the Regulation. The certification criteria should be formulated in such a way that they are clear and comprehensible and that they allow practical application.

48. When drafting certification criteria the following compliance aspects in support of the assessment of the processing operation, inter alia, shall be taken into account, where applicable:

• the lawfulness of processing pursuant to Article 6;

• the principles of data processing pursuant to Article 5;

• the data subjects’ rights pursuant to Articles 12-23;

• the obligation to notify data breaches pursuant to Article 33;

• the obligation of data protection by design and by default, pursuant to Article 25;

• whether a data protection impact assessment, pursuant to Article 35(7)(d) has been conducted, if applicable; and

• the technical and organisational measures put in place pursuant to Article 32.

49. The extent to which these considerations are reflected in the criteria may vary depending on the scope of certification which may include the type of processing operation(s) and the area (e.g. health sector) of certification.