Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

SECTION 4  PROCESSING OPERATION, ARTICLE 42(1)

With respect to the scope of the certification mechanism (general or specific), are all relevant components of the processing operations (data, systems, and processes) addressed by the criteria?

a.   Do criteria require identification of the valid legal bases of processing with respect to the ToE?

b.   With respect to the ToE, do the criteria recognize the relevant phases of processing and the whole life-cycle of data including the deletion and or anonymisation?

c.   With respect to the ToE, do the criteria require data portability?

d.   With respect to the ToE, do the criteria allow identifying and reflecting special types of processing operations, e.g. automated decision making, profiling?

e.   With respect to the ToE, do the criteria allow identifying special categories of data?

f.   Do the criteria allow and require assessing the risk of the individual processing operations and the protection needs for the rights and freedoms of data subjects?

g.   Do the criteria allow and require adequate account of the risks to the rights and freedoms of natural persons?