The European Data Protection Board
Having regard to Article 42(5), Article 64(2) and Article 70(1)(o) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,
Having regard to Article 3 and Article 22 of its Rules of Procedure of 25 May 2018,
HAS ADOPTED THE FOLLOWING DOCUMENT
1. EDPB APPROVAL of EU-wide certification criteria (EU DP Seal): REVIEW, SUBMISSION, ADMISSIBILITY and ADOPTION
Scheme owners (which could be organisations or private companies that are not in charge of issuing certificates) or certification bodies, should formally submit their EU-wide certification criteria (in order of application):
1) to the competent SA (CompSA) where the scheme owners have their headquarters;
2) to the CompSA where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.
Furthermore, SAs can also draft certification criteria for an EU-wide certification mechanism on their own initiative.
SAs can submit criteria for EU-wide certification mechanism referred to in article 42(5) for approval by EDPB pursuant to article 63 and article 70(1)(o). The SA will carry out a review to ensure that draft certification criteria meet the requirements of EU wide GDPR certification criteria, taking into account the EDPB guidelines on certification. The CompSA’s review will be aided by fully completing the assessment template for certification criteria adopted by EDPB (both national and EU sections are required to be completed). The submission of this document to the EDPB can only be made when the CompSA considers that the criteria could be approved by EDPB (see step 3a).
1.2. Initial admissibility of the certification criteria
If the draft criteria are not found acceptable by the CompSA, the CompSA will write to the scheme owner outlining the basis for its decision (see step 3b).
If the draft criteria are found acceptable by the CompSA, the CompSA will write to the scheme owner with confirmation that they will proceed to the next stage of the process and assess the draft criteria. This will trigger the following informal cooperation procedure in respect of assessing the criteria for approval.
1.3. Cooperation (informal cooperation phase at the SAs level)
The informal cooperation phase is integral in enabling an efficient Board approval procedure. The informal cooperation phase will enable the CompSA identified above to lead the assessment of the criteria and provide feedback to the scheme owner as required. The CompSA will provide timely updates to the scheme owner about all phases.
The CompSA will issue a notification updating all SAs and they will make a request seeking, on a voluntary basis, a maximum of two co-reviewers to assist with the substantive assessment of the criteria (see step 4). The request for co-reviewers is made via email to EDPB secretariat. The email communication must include the EDPB assessment template completed by the CompSA.
The informal cooperation phase (see step 4 to 6) can only start when the following documents are available in English language and can be shared with other SAs:
- the EDPB assessment template fully completed by the CompSA. It shall include information about how all relevant national legislations have been addressed and about the planned roll out in MSs; and
- a copy of the criteria for certification and any relevant annexes.
Certification criteria related to specific Member State legislation can be submitted in their national language, if available.
The role of co-reviewers will be to assist the CompSA in assessing the draft criteria. The co-reviewers should ensure that they involve experts according to the certification subject. Once the co-reviewers are confirmed, comments from them on the criteria should be provided within thirty days from the moment that the documents are shared with them. These comments will then be considered by the CompSA when carrying out its assessment. The review will mainly focus on the technical acceptability of the certification criteria (see step 5).
Following the co-review, the CompSA will circulate the draft criteria to all SAs. The EDPB Secretariat may assist with the communication among SAs (see step 6). All concerned SAs will have 30 days to respond and any significant issues could be brought to the relevant EDPB subgroup for discussion. The review will consist of making sure that national legislation has been covered appropriately and it will also include the analysis of the compliance of the criteria covering the national legislation. If the SAs do not respond, the criteria will continue to the next stage of the procedure.
The CompSA can decide to repeat steps 5 & 6 as required.
Following any step of the informal cooperation phase, the CompSA can give the scheme owner the option to update the certification criteria taking into account the SAs remarks.
Following step 6 and presuming a positive outcome, the CompSA will request a subgroup session to discuss the criteria under review (see step 7). The CompSA will update the EDPB assessment template with the key points from this session. Any actions raised in the meeting can be taken forward by the CompSA and the criteria can be revised by the scheme owner.
At the end of the informal cooperation phase, the CompSA (in consultation with the scheme owner) can decide whether or not to submit the certification criteria to the EDPB for formal approval. The CompSA will make the final determination as to whether the draft criteria should be submitted to the Board for approval as per Articles 63 of the GDPR. Where the CompSA decides not to submit the certification criteria to the EDPB, the process ends (see step 8b). A resubmission of the certification criteria, at a later date, will result in a new review process.
The scheme owner should take part in the review process at the informal phase. The competent SA should inform the scheme owner of the comments made during the cooperation phase and the scheme owner should be given the opportunity to ask for clarifications and to respond.