• Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Privacy Academy (in Dutch)
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Privacy Academy (in Dutch)
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date November 6, 2020

      Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

      Section 5.2  Determining the object of certification

      58. The scope of a certification mechanism is to be distinguished from the object – also called the target of evaluation (ToE)  – in individual certification projects under a certification mechanism. A certification mechanism can define its scope either generally or in relation to a specific type or area of processing operations and can thus already identify the objects of certification that fall within the scope of the certification mechanism (e.g. secure storage and protection of personal data contained in a digital vault). At any instance, a reliable, meaningful assessment of conformity can take place only if the individual object of a certification project is described precisely. It must be described clearly which processing operations are included in the object of certification and then the core components, i.e. which data, processes and technical infrastructure, will be assessed and which will not. In doing so, the interfaces to other processes must always be considered and described as well. Clearly, what is not known cannot be part of the assessment and thus cannot be certified. In any case, the individual object of certification must be meaningful with respect to the message or claim made on/by the certification and should not mislead the user, customer or consumer.

      59. [Example 1]

      A bank offers to its customers a website for the purpose of online banking. In the framework of this service, there is the possibility to make transfers, buy shares, initiate standing orders and manage the account. The bank wishes to certify the following under a data protection certification mechanism with a general scope based on generic criteria:

      a) Secure log-in

      Secure log-in is a processing operation which is understandable for the end user and which is relevant from a data protection perspective since it plays an important part in ensuring the security of personal data involved. Therefore, this processing operation is necessary for secure log-in and can thus constitute a meaningful ToE if the certificate states clearly that only the log-in processing operation is certified.

      b) Web front-end

      Whilst the web front-end can be relevant from a data protection perspective it is not understandable by the end user and therefore cannot be a meaningful ToE. Moreover, it is not clear to the user which services on the website and thus which processing operations are covered by the certification.

      c) Online banking

      The web front end together with the back-end are processing operations provided within the online banking service which can be meaningful to the user. In this context, both must be included in the ToE. Whereas processing operations that are not directly connected to the provision of the online banking service, such as processing operations for the purpose of prevention of money laundering, can be excluded from the ToE.

      However, the online-banking services offered by the bank via its website may also include other services which in turn require their own processing operations. In this context, other services may include, for example, the offering of an insurance product. Since this additional service is not directly connected with the purpose of providing online banking services, it can be excluded from the ToE. If this additional service (insurance) is excluded from the ToE, the interfaces for this service integrated on the website are part of the ToE and must therefore be described in order to clearly distinguish between the services. Such a description is necessary to identify and evaluate possible data flows between the two services.

      60. [Example 2]

      A bank offers to its customers a service allowing them to aggregate the information related to different accounts and credit cards from several banks (account aggregation). The bank wishes to have its service certified under the GDPR. The competent supervisory authority has approved a specific set of certification criteria focusing on this type of activity. The scope of the certification mechanism only addresses the following compliance aspects:

      • user authentication; and

      • acceptable ways to obtain the data to be aggregated from other banks/services.

      Since the scope of this certification mechanism defines the ToE by itself, it is not possible to meaningfully narrow down the ToE under the proposed scope and certify only specific features or a single processing activity. In this scenario, a ToE must equal a specific scope.

      • Share:
      author avatar
      Richard V

      Previous post

      Certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
      November 6, 2020

      Next post

      Certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
      November 6, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2022

      GADPPRO Academy 2022

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now