Data protection: procedure for the approval of certification criteria by the EDPB

The European Data Protection Board (EDPB)* recently issued a document that details the procedure for certification criteria to be approved, hence becoming a common certification (the European Data Protection Seal) pursuant to GDPR (Art. 42).

*composed of EEA data protection authorities, established by GDPR

Procedure

Scheme owners (organisations or private companies that are not in charge of issuing certificates) or certification bodies must submit their EU-wide criteria of certification:

1) to the competent supervisory authority (data protection authority) where the scheme owners have their headquarters;

2) to the competent supervisory authority where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.

The draft criteria are reviewed -within 30 days- by all EU supervisory authorities and, if the process is successful, the updated draft criteria will be submitted to the EDPB for opinion.

The EDPB has 8 to 14 weeks to deliver an opinion. This opinion determines whether the EDPB approves the criteria as EU Data Protection Seal (EU DP Seal).

N.B: Supervisory authorities can also draft certification criteria on their own initiative.

Please find below an insightful graph on the procedure.

For any questions on this issue, do not hesitate to contact Camille Dornier: camille.dornier@eurosmart.com

click to enlarge