Certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
SECTION 6 GUIDANCE FOR DEFINING CERTIFICATION CRITERIA
67. Certification criteria are an integral part of a certification mechanism. The certification procedure includes the requirements of how, by whom, to what extent and the granularity of the assessment which shall take place in individual certification projects concerning a specific object or target of evaluation (ToE). The certification criteria provide the nominal requirements against which the actual processing operation defined in the ToE is assessed. These guidelines for defining certification criteria provide generic advice that will facilitate the assessment of certification criteria for the purpose of approval.
-
The following general considerations should be taken into account when approving or defining certification criteria. Certification criteria should:
-
be uniform and verifiable,
-
auditable in order to facilitate the evaluation of processing operations under the GDPR, by specifying in particular, the objectives and the implementing guidance for achieving those objectives;
-
be relevant with respect to the targeted audience (e.g. B2B and business to customer (B2C);
-
take into account and where appropriate be inter-operable with other standards (such as ISO standards, national level standards); and
-
be flexible and scalable for application to different types and sizes of organisations including micro, small and medium sized enterprises in accordance with Article 42(1) and the risk-based approach in accordance with Recital 77.