European Data Protection Seal - Procedure voor de goedkeuring van de certificatiecriteria door de EDPB die resulteert in een gewone certificatie

Geschreven door Lexalert
Foto:   Dominic Smith

The European Data Protection Board

Having regard to Article 42(5), Article 64(2) and Article 70(1)(o) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

Having regard to Article 3 and Article 22 of its Rules of Procedure of 25 May 2018,

HAS ADOPTED THE FOLLOWING DOCUMENT

1. EDPB APPROVAL of EU-wide certification criteria (EU DP Seal): REVIEW, SUBMISSION, ADMISSIBILITY and ADOPTION

1.1.     Submission

Scheme owners (which could be organisations or private companies that are not in charge of issuing certificates) or certification bodies, should formally submit their EU-wide certification criteria (in order of application):

1)   to the competent SA (CompSA) where the scheme owners have their headquarters;

2)   to the CompSA where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.

Furthermore, SAs can also draft certification criteria for an EU-wide certification mechanism on their own initiative.

SAs can submit criteria for EU-wide certification mechanism referred to in article 42(5) for approval by EDPB pursuant to article 63 and article 70(1)(o). The SA will carry out a review to ensure that draft certification criteria meet the requirements of EU wide GDPR certification criteria, taking into account the EDPB guidelines on certification. The CompSA’s review will be aided by fully completing the assessment template for certification criteria adopted by EDPB (both national and EU sections are required to be completed). The submission of this document to the EDPB can only be made when the CompSA considers that the criteria could be approved by EDPB (see step 3a).

1.2.     Initial admissibility of the certification criteria

If the draft criteria are not found acceptable by the CompSA, the CompSA will write to the scheme owner outlining the basis for its decision (see step 3b).

If the draft criteria are found acceptable by the CompSA, the CompSA will write to the scheme owner with confirmation that they will proceed to the next stage of the process and assess the draft criteria. This will trigger the following informal cooperation procedure in respect of assessing the criteria for approval.

1.3.     Cooperation (informal cooperation phase at the SAs level)

The informal cooperation phase is integral in enabling an efficient Board approval procedure. The informal cooperation phase will enable the CompSA identified above to lead the assessment of the criteria and provide feedback to the scheme owner as required. The CompSA will provide timely updates to the scheme owner about all phases.

The CompSA will issue a notification updating all SAs and they will make a request seeking, on a voluntary basis, a maximum of two co-reviewers to assist with the substantive assessment of the criteria (see step 4). The request for co-reviewers is made via email to EDPB secretariat. The email communication must include the EDPB assessment template completed by the CompSA.

The informal cooperation phase (see step 4 to 6) can only start when the following documents are available in English language and can be shared with other SAs:

-      the  EDPB  assessment  template  fully  completed  by  the  CompSA.  It  shall  include information about how all relevant national legislations have been addressed and about the planned roll out in MSs; and

-      a copy of the criteria for certification and any relevant annexes.

Certification criteria related to specific Member State legislation can be submitted in their national language, if available.

The role of co-reviewers will be to assist the CompSA in assessing the draft criteria. The co-reviewers should ensure that they involve experts according to the certification subject. Once the co-reviewers are confirmed, comments from them on the criteria should be provided within thirty days from the moment that the documents are shared with them. These comments will then be considered by the CompSA when carrying out its assessment. The review will mainly focus on the technical acceptability of the certification criteria (see step 5).

Following the co-review, the CompSA will circulate the draft criteria to all SAs. The EDPB Secretariat may assist with the communication among SAs (see step 6). All concerned SAs will have 30 days to respond and any significant issues could be brought to the relevant EDPB subgroup for discussion. The review will consist of making sure that national legislation has been covered appropriately and it will also include the analysis of the compliance of the criteria covering the national legislation. If the SAs do not respond, the criteria will continue to the next stage of the procedure.

The CompSA can decide to repeat steps 5 & 6 as required.

Following any step of the informal cooperation phase, the CompSA can give the scheme owner the option to update the certification criteria taking into account the SAs remarks.

Following step 6 and presuming a positive outcome, the CompSA will request a subgroup session to discuss the criteria under review (see step 7). The CompSA will update the EDPB assessment template with the key points from this session. Any actions raised in the meeting can be taken forward by the CompSA and the criteria can be revised by the scheme owner.

At the end of the informal cooperation phase, the CompSA (in consultation with the scheme owner) can decide whether or not to submit the certification criteria to the EDPB for formal approval. The CompSA will make the final determination as to whether the draft criteria should be submitted to the Board for approval as per Articles 63 of the GDPR. Where the CompSA decides not to submit the certification criteria to the EDPB, the process ends (see step 8b). A resubmission of the certification criteria, at a later date, will result in a new review process.

The scheme owner should take part in the review process at the informal phase. The competent SA should inform the scheme owner of the comments made during the cooperation phase and the scheme owner should be given the opportunity to  ask for clarifications and to respond.

1.4.     Formal submission and approval (EDPB phase)

The approval of an EU Data Protection Seal takes place under the procedure of an article 64(2)

opinion.

The CompSA is asked to take into consideration the working schedule of the CEH ESG before making its submission via IMI.

The formal submission must be done via IMI platform (step 8a). It shall fulfil the following admissibility criteria for acceptance by EDPB:

-      All relevant documents must be submitted in English;

-      The EDPB assessment template must be completed by the CompSA and submitted (the template must be updated accordingly to the result of the initial review phase); and

-      A copy of the certification criteria and any annexes must be submitted.

The secretariat will check that all documents are present and complete. The secretariat may request the CompSA to provide, within a specific timeframe, with additional information needed for the file to be complete. As a general rule, and without prejudice to other translations where necessary or required by law, all relevant documents should be provided by the applicant in the language of the CompSA and also in English. When necessary, for instance documents not originating or drafted by the SA, the documents submitted by the CompSA will be translated into English by the secretariat without undue delay. In such cases, when the competent authority agrees on the translation, and the Chair and the CompSA decide that the file is completed, the secretariat, on behalf of the Chair, will circulate the file to the members of the Board.

The opinion of the Board shall be adopted within eight weeks after the Chair and the CompSA (where relevant) have decided that the file is complete. It may be extended by a further six weeks, taking into account the complexity of the subject matter, upon decision of the Chair on its own initiative or at the request of at least one third of the members of the Board.

Before draft opinions are submitted to the vote of the Board, they shall be prepared and drafted by the secretariat and, upon decision of the Chair, together with a rapporteur and expert subgroups members. Depending on the scope of the certification mechanism, expertise of other EDPB subgroups may be requested in order to prepare the opinions.

Upon decision of the chair, a drafting team can be set up, depending on the timing of submission, via email or at a CEH meeting. The call for the drafting team volunteers will be made by the Secretariat together with CEH experts group co-ordinators. In order to avoid conflicts of interest, the CompSA should not be part of the core drafting team. However, any questions can always be addressed by the core drafting team to the CompSA.

The secretariat and the drafting team (where relevant) review the submitted criteria for certification and supporting documents (including the assessment template) and draft the opinion. This will always involve consideration of what was stated in previous opinions on the same subject, in order to ensure consistency. The EDPB assessment template submitted by the CompSA can be used as an internal working document when preparing the draft opinion. This review must take place within the opinion deadlines.

1.5.     Article 64(2) opinion

Under article 64(2) and 70(1)(o), EDPB shall issue an opinion and approval pertaining to matters outlined in Article 42(5) of the GDPR (see step 9).

The rules of article 10 of the EDPB rules of procedure apply for the adoption of an opinion. The SA who decides to ask for an Opinion under article 64(2) will have to provide written reasoning for the request, as per article 10(3) RoP. In the context of a request for approval by EDPB of an European Data Protection Seal for criteria of certification, the CompSA has to ask for an Opinion under article 64(2) regarding a matter producing effects in more than one member states.

EDPB’s approval process is completed by the approval or by the rejection of the EU data protection seal request for the submitted criteria. Under article 64(2) there is no need for a follow-up of the opinion of the Board.

EDPB’s opinion under article 64(2) is applicable in all Member States.

►Lees ook: Richtlijnen van het Europees Comité voor gegevensbescherming (EDPB) met betrekking tot de verwerking van persoonsgegevens door videoapparaten

1.6.     Further steps following approval of EU Data Protection Seal

The following steps must be completed after the approval of EU DP Seal criteria:

-      the Secretariat publishes the opinion containing the EDPB data protection seal approval or rejection;

-      the CompSA will inform the scheme owner about the outcome of EDPB’s approval process for the EU Data Protection Seal request.;

-      the  lead/co-ordinating  CompSA  is  responsible  for  ensuring  the  transmission  to  the Secretariat of the required documents for the publication in the EDPB public register.

If EDPB rejects the EU data protection seal request via a negative opinion:

-      the  CompSA  informs  the scheme  owner  that,  according  to  the  EDPB’s  opinion,  the certification mechanism does not meet the requirements for EDPB approval.

-      the  CompSA can  decide to  resubmit certification  criteria  for  requesting  an EU  data protection seal. The CompSA can decide either to start a new informal cooperation phase or submit the criteria directly to the article 64(2) opinion phase.

Guidance on the European Commission’s powers under Article 43(8) and (9) will be added in due course, along with any further requirements for international transfer criteria.

Workflow - EDPB's Approval of EU Data Protection Seal Criteria of certification