Certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

SECTION 6  GUIDANCE FOR DEFINING CERTIFICATION CRITERIA

67. Certification criteria are an integral part of a certification mechanism. The certification procedure includes the requirements of how, by whom, to what extent and the granularity of the assessment which shall take place in individual certification projects concerning a specific object or target of evaluation (ToE). The certification criteria provide the nominal requirements against which the actual processing operation defined in the ToE is assessed. These guidelines for defining certification criteria provide generic advice that will facilitate the assessment of certification criteria for the purpose of approval.

  • The following general considerations should be taken into account when approving or defining certification criteria. Certification criteria should:

  • be uniform and verifiable,

  • auditable in order to facilitate the evaluation of processing operations under the GDPR, by specifying in particular, the objectives and the implementing guidance for achieving those objectives;

  • be relevant with respect to the targeted audience (e.g. B2B and business to customer (B2C);

  • take into account and where appropriate be inter-operable with other standards (such as ISO standards, national level standards); and

  • be flexible and scalable for application to different types and sizes of organisations including micro, small and medium sized enterprises in accordance with Article 42(1) and the risk-based approach in accordance with Recital 77.

68. A small local company, such as a retailer, will usually carry out less complex processing operations than a large multinational retailer. While the requirements for the lawfulness of the processing operations are the same, the scope of data processing and its complexity must be taken into account; it follows that there is a need for certification mechanisms and their criteria to be scalable according to the processing activity inquestion.

author avatar
Richard V

You may also like

Children Safety Encryption www.privacad.com
Apple’s New Step to Protect Child Abuse via Encryption Feature
20 August, 2021
DNA Technology and Privacy www.privacad.com
DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
19 August, 2021
www.privacad.com
India accuses Twitter of not complying with new IT rules
18 August, 2021