Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
SECTION 10 TECHNICAL AND ORGANISATIONAL MEASURES GUARANTEEING PROTECTION
a. Do criteria require the application of technical and organisational measures providing for confidentiality of processing operations?
b. Do criteria require the application of technical and organisational measures providing for integrity of processing operations?
c. Do criteria require the application of technical and organisational measures providing for availability of processing operations?
d. Do criteria require the application of measures providing for transparency of processing operations with respect to
e. Accountability?
f. Data subjects rights?
g. Assessment of individual processing operations, e.g. for algorithmic transparency?
h. Do criteria require the application of technical and organisational measures guaranteeing data subjects’ rights, e.g. the ability to provide information, or to data portability?
i. Do criteria require the application of technical and organisational measures providing for the ability to intervene into the processing operation in order to guarantee data subjects right and allow corrections, erasure or restrictions?
j. Do criteria require the application of measures providing for the ability to intervene into the processing operation in order to patch or check the system or the process?
k. Do criteria require the application of technical and organisational measures to ensure data minimisation, for example, unlinking or separation of the data from the data subject, anonymisation or pseudonymisation or isolation of data systems?
l. Do criteria require technical measures to implement data protection by default?
m. Do criteria require technical and organisational measures implementing data protection by design, e.g. a data protection management system to demonstrate, inform, control and enforce data protection requirements?
n. Do criteria require technical and organisational measures implementing appropriate periodic training and education for the personnel having permanent or regular access to personal data?
o. Do criteria require reviewing measures?
p. Do criteria require self-assessment/ internal audit?
q. Do criteria require measure to ensure that personal data breach notification duties are carried out in due time and scope?
r. Do criteria require incident management procedures to be in place and verified?
s. Do criteria require monitoring of evolving privacy and technology issues and updating of the scheme as required?