Luxembourg Data Protection Authority announces adoption of world's first GDPR certification mechanism

The GDPR-CARPA (‘GDPR Certified Assurance Report-Based Processing Activities Certification Criteria’) will allow companies, public authorities, associates and other organisations established in Luxembourg to demonstrate compliance with the GDPR in relation to specific data processing operations. The CNPD had presented the GDPR-CARPA at a conference which took place on 28 June 2022.

1. What is GDPR-CARPA?

The GDPR-CARPA is a certification scheme under Art. 42 GDPR. 

The CNPD will accredit competent certification bodies that will issue GDPR certifications based on detailed certification criteria. The list of the accredited certification bodies has not been announced yet. The certification will only apply to specific processing operations and will be valid for three years; this period may be renewed following an audit.

2. To whom does GDPR-CARPA apply?

The certification will apply to controllers and processors (for all sectors), established in Luxembourg, that are processing personal data.
 
The GDPR-CARPA will not certify all processing operations of an organisation but only specific processing activities. According to the CNPD, examples of processing activities that are eligible for the certification include the following:

• Human resources processing activities;
  
  
• Processing for anti-money laundering (AML) and or know-your-customer (KYC) purposes; and
  
  
• Software-as-a-service (SaaS) services provided by a processor.

The CNPD gave the following example of a processing activity that cannot be certified: a software created and commercialised as such by a developer, because the developer would in this case neither be a controller nor a processor.

3. What is not covered by the scheme?

The CNPD noted that the scheme is not suitable for, among other things, processing operations that are under joint control, processing of personal data relating to criminal convictions and offences, processing specifically targeting children under 16 years, or for entities that have not appointed a data protection officer (DPO). 

The CNPD specified explicitly that this certification scheme is not intended to be used in relation to international transfers of personal data and does not provide appropriate safeguards under Chapter V GDPR. This being said, on 30 June 2022, the European Data Protection Board (the EDPB) adopted its draft Guidelines on certification as a tool for international data transfer, providing for specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for data transfers to third countries without adequacy status. You can read an Allen & Overy summary of the draft EDPB Guidelines in our blog here.

4. What are the certification criteria?

The Decision 15/2022 of 13 May 2022 approving the certification criteria of the GDPR-CARPA was adopted following the EDPB Opinion on the draft certification criteria dated 1 February 2022. The certification criteria are divided into three sections:

• General accountability and governance criteria, applicable to both controllers and processors (covering policies and procedures, records of processing activities, data subjects rights, the designation and position of DPOs, data breaches and awareness and competencies);
  
  
• Principles applicable to controllers (covering lawfulness and transparency of processing activities, transfer to third countries, principles of data minimisation, accuracy, storage limitation, data security, data protection impact assessments and outsourcing); and
  
  
• Principles applicable to processors (covering contracts with controller and with sub-processors, outsourcing relationships, security, assessment of subcontracting, transfers to third countries, as well as procedures that apply on termination or expiry of services relating to processing, such as return or deletion of data).

Each section includes detailed references to the GDPR and minimum criteria for each requirement. The document may also be used as helpful guidance by those companies not applying for the certification (including outside of Luxembourg), as it shows the elements that a regulator would likely focus on in case of an investigation.

5. What are the benefits of GDPR-CARPA?

The certification mechanism is expected to provide a large variety of benefits to companies as well as to data subjects. First, the scheme is designed to be general and thus suitable for actors in all sectors. Second, controllers and processors certified under the scheme can demonstrate that they operate according to high data protection standards and thus increase data subject confidence in their organisation. Third, it improves the transparency of organisations about their data processing operations. Finally, data subjects can also better assess the level of data protection offered by the products, services, processes or systems of organisations undertaking processing operations covered by the certification.
  
However, the certification mechanism does not reduce the responsibility of the controller or the processor for their data processing. In case of an audit carried out by the CNPD, the existence of the certification (with its regular third party audits) could demonstrate the efforts of an organisation to comply with GDPR requirements, and potentially decrease the degree of scrutiny. Engaging a processor with GDPR certification could also help the controller demonstrate its compliance with Article 28 GDPR. Of course, the certification could also become an aggravating factor in case of the CNPD enforcement action where the actual practices of an organisation do not align with the certification.

6. When will controllers and processors be able to apply for GDPR-CARPA?