Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 5.1  What can be certified under the GDPR?

50. The EDPB considers that the GDPR provides a broad scope for what can be certified under the GDPR, as long as the focus is on helping demonstrate compliance with this Regulation of processing operations by controllers and processors (Article 42.1).

51. When assessing a processing operation, the following three core components must be considered, where applicable:

• 1 personal data (material scope of the GDPR);

• 2 technical systems -the infrastructure, such as hardware and software, used to process the personal data; and

• 3 processes and procedures related to the processing operation(s).

52. Each component used in processing operations must be subject to assessment against the set criteria. At least four different significant factors can be of influence: 1) the organisation and legal structure of the controller or processor; 2) the department, environment and people involved in the processing operation(s); 3) the technical description of the elements to be assessed; and finally 4) the IT infrastructure supporting the processing operation including operating systems, virtual systems, databases, authentication and authorization systems, routers and firewalls, storage systems, communication infrastructure or Internet access and associated technical measures.

53. All three core components are relevant for the design of certification procedures and criteria. Depending on the object of certification the extent to which they are taken into account may vary. For example, in some cases, some components can be disregarded if they are judged not relevant to the object of the certification.

54. To further specify what may be certified under the GDPR, the GDPR contains additional guidance. It follows from Article 42.7 that certifications under the GDPR are issued only to data controllers and data processors, which rule out for instance the certification of data protection officers. Art. 43(1)(b) refers to ISO 17065 which provides for the accreditation of certification bodies assessing the conformity of products, services and processes. A processing operation or a set of operations may result in a product or service in the terminology of ISO 17065 and such can be subject of certification. For instance, the processing of employee data for the purpose of salary payment or leave management is a set of operations within the meaning of the GDPR and can result in a product, process or a service in the terminology of ISO.

55. On the basis of these considerations, the EDPB considers that the scope of certification under the GDPR is directed to processing operations or sets of operations. These may comprise of governance processes in the sense of organisational measures, hence as integral parts of a processing operation (e.g. the governance process established for complaints handling as part of the processing of employee data for the purpose of salary payment).

56. In order to assess the compliance of the processing operation with the certification criteria, a use case must be provided. For example, compliance of the use of a technical infrastructure deployed in a processing operation depends on the categories of data it is designed to process. Organisational measures depend on the categories and amount of data and the technical infrastructure used for processing, taking into account the nature, scope, content and purposes of the processing as well as the risks to the rights and freedoms of the data subjects.

57. Moreover, it must be kept in mind that IT applications can differ widely even though serving the same processing purposes. Therefore, this must be considered when defining the scope of the certification mechanisms and drafting the certification criteria, i.e. the scope ofcertification and criteria should not be so narrow as to exclude IT applications designed differently.