Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 6.2  Defining criteria

70. Certification criteria must correspond to the certification statement (message or claim) of a certification mechanism or scheme and match the expectations it raises. The name of a certification mechanism may already identify the scope of application and will have consequences for the determination of criteria.

71. [Example 3] A mechanism called “HealthPrivacyMark” should limit its scope to the health sector. The seal name raises the expectation that data protection requirements in connection with health data have been examined. Accordingly, the criteria of this mechanism must be adequate for assessing data protection requirements in this sector.

72. [Example 4] A mechanism that relates to the certification of processing operations comprising governance systems in data processing should identify criteria that allow for the recognition and assessment of governance processes and its supporting technical and organisational measures.

73. [Example 5]  The criteria for a mechanism that relates to cloud computing needs to take accountof the special technical requirements necessary for the use of cloud-based services. For instance, if servers are used outside the EU, the criteria must consider the conditions laid down in Chapter V of the GDPR with respect to data transfers to third-countries.

74. Criteria designed to fit different ToEs in different sectors and/or Member States should: allow an application to different scenarios; allow identification of the adequate measures to fit small, medium, or large processing operations and reflect the risks of varying likelihood and severity to the rights and freedoms of natural persons in line with the GDPR. Consequently, the certification procedures (e.g. for documentation, testing, or evaluation method and depth) complementing the criteria must respond to these needs and allow and have rules in place, for example to apply the relevant criteria in individual certification projects. Criteria must facilitate an assessment as to whether sufficient guarantees for the implementation of appropriate technical and organisational measures have been provided.