CNPD adopts GDPR-CARPA certification criteria
On 13 May 2022 the Luxembourg data protection supervisory authority (CNPD) adopted its new certification criteria GDPR-CARPA, making Luxembourg the first EU Member State to establish a certification under the criteria of the GDPR.
What is the GDPR-CARPA certification scheme?
GDPR-CARPA is a certification scheme under article 42 of the GDPR. Its purpose is to allow data controllers and processors to demonstrate compliance of their personal data processing operations with the requirements of the GDPR.
In its decision N° 15/2022 of 13 May 2022,1 the CNPD officially adopted the GDPR-CARPA certification criteria under which interested organizations may be certified by competent certification bodies. These certification bodies will be approved by the CNPD on the basis of criteria already adopted by the CNPD under decision N° 8/2020 of 3 April 20202 (the “Luxembourg accreditation requirements of certification bodies (art 43(1)(a)) – Set Alpha”). It’s expected that the CNPD will publish a list of such certification bodies in the future.
For the CNPD, this is the culmination of several years’ work with the various stakeholders in the field of data protection. The first public consultation on the certification was in June 2018 and the opinion of the European Data Protection Board (EDPB) on the GDPR-CARPA criteria came on 1 February 2022 (Opinion 1/2022).3
To whom and to what is it applicable in Luxembourg?
To benefit from this certification, it’s necessary to be a company, administration, organization, or another entity established in Luxembourg processing personal data.
The certification applies to personal data processing activities to be identified by the applying entity. In a document made available online, the CNPD recommends defining such processing by distinguishing four levels of significant elements or components:
- Level 1: defining the concerned organisation and its specific legal ecosystem (eg Financial institution).
- Level 2: defining the circumstances and purposes of the processing (eg HR Department).
- Level 3: defining the functional application used to implement the abovementioned purposes (eg SAP-HR).
- Level 4: defining the IT infrastructure used for such processing (eg Windows, server farm, Oracle DB).
On its website, the CNPD states that the GDPR-CARPA certification is not suitable:
- for certifying processing of personal data specifically targeting minors under the age of 16;
- for certifications of processing activities under joint control;
- for processing activities under Article 10 of the GDPR (ie processing of personal data relating to criminal convictions and offences); and
- for entities that have not formally appointed a DPO (Article 37 of the GDPR).
It’s also important to remember that the GDPR-CARPA certification is not meant to be used as appropriate safeguards for transfers of personal data to third countries as referred to under Article 46(2) (f) GDPR.
GDPR-CARPA certification criteria
The GDPR-CARPA Certification criteria approved by the CNPD are divided into three sections:
- A first section relating to data governance in general within the applying entity, irrespective of whether it’s acting as a controller or processor (such as policies and procedures, records of processing activities, data subjects rights, DPO, data breaches).
- A second section that only relates to entities acting as data controllers to check compliance with the main data protection principles under article 5 GDPR.
- A third section that only relates to entities acting as data processors (contracts with controllers and subcontracting, security, transfer of personal data to third countries).
The certification process consists of several steps:
- The application for/applicability of the certification is assessed. The applying entity has to execute engagement letters for the performance of the mission by the certification body.
- Certification audits are performed by the certification body based on the norm ISAE 3000.
- The decision to certify the organization is made in consideration of the GDPR-CARPA criteria and the decision is communicated to the CNPD.
- The certificate is issued by the certification body.
- Compliance with the GDPR-CARPA criteria is monitored.
It should be noted that the CNPD's decision focuses more on the material criteria for certification than on the certification process itself, the latter being subject to future clarifications, if necessary.
In accordance with article 42 (5) GDPR, the GDPR-CARPA certificate delivered by the certification body will last for three years. According to the CNPD’s website, it’s subject to a successful annual comprehensive audit.
The certification may be used to demonstrate compliance with the GDPR. However, according to article 42 (4) of the GDPR, it does not reduce the responsibility of the controller or the processor for compliance with the GDPR and is without prejudice to the tasks and powers of the supervisory authorities.
1 Décision N° 15/2022 du 13 mai 2022 de la Commission nationale pour la protection des données portant exécution de l’article 15 de la loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données
2 Décision N° 8/2020 du 3 avril 2020 de la Commission nationale pour la protection des données portant approbation des critères d’agrément des organismes de certification.
3 Opinion 1/2022 on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR certification criteria, adopted on 1 February 2022.