Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 5.2  Determining the object of certification

58. The scope of a certification mechanism is to be distinguished from the object – also called the target of evaluation (ToE)  – in individual certification projects under a certification mechanism. A certification mechanism can define its scope either generally or in relation to a specific type or area of processing operations and can thus already identify the objects of certification that fall within the scope of the certification mechanism (e.g. secure storage and protection of personal data contained in a digital vault). At any instance, a reliable, meaningful assessment of conformity can take place only if the individual object of a certification project is described precisely. It must be described clearly which processing operations are included in the object of certification and then the core components, i.e. which data, processes and technical infrastructure, will be assessed and which will not. In doing so, the interfaces to other processes must always be considered and described as well. Clearly, what is not known cannot be part of the assessment and thus cannot be certified. In any case, the individual object of certification must be meaningful with respect to the message or claim made on/by the certification and should not mislead the user, customer or consumer.

59. [Example 1]

A bank offers to its customers a website for the purpose of online banking. In the framework of this service, there is the possibility to make transfers, buy shares, initiate standing orders and manage the account. The bank wishes to certify the following under a data protection certification mechanism with a general scope based on generic criteria:

a) Secure log-in

Secure log-in is a processing operation which is understandable for the end user and which is relevant from a data protection perspective since it plays an important part in ensuring the security of personal data involved. Therefore, this processing operation is necessary for secure log-in and can thus constitute a meaningful ToE if the certificate states clearly that only the log-in processing operation is certified.

b) Web front-end

Whilst the web front-end can be relevant from a data protection perspective it is not understandable by the end user and therefore cannot be a meaningful ToE. Moreover, it is not clear to the user which services on the website and thus which processing operations are covered by the certification.

c) Online banking

The web front end together with the back-end are processing operations provided within the online banking service which can be meaningful to the user. In this context, both must be included in the ToE. Whereas processing operations that are not directly connected to the provision of the online banking service, such as processing operations for the purpose of prevention of money laundering, can be excluded from the ToE.

However, the online-banking services offered by the bank via its website may also include other services which in turn require their own processing operations. In this context, other services may include, for example, the offering of an insurance product. Since this additional service is not directly connected with the purpose of providing online banking services, it can be excluded from the ToE. If this additional service (insurance) is excluded from the ToE, the interfaces for this service integrated on the website are part of the ToE and must therefore be described in order to clearly distinguish between the services. Such a description is necessary to identify and evaluate possible data flows between the two services.

60. [Example 2]

A bank offers to its customers a service allowing them to aggregate the information related to different accounts and credit cards from several banks (account aggregation). The bank wishes to have its service certified under the GDPR. The competent supervisory authority has approved a specific set of certification criteria focusing on this type of activity. The scope of the certification mechanism only addresses the following compliance aspects:

• user authentication; and

• acceptable ways to obtain the data to be aggregated from other banks/services.

Since the scope of this certification mechanism defines the ToE by itself, it is not possible to meaningfully narrow down the ToE under the proposed scope and certify only specific features or a single processing activity. In this scenario, a ToE must equal a specific scope.