The first GDPR certification in Luxembourg

Since the entry into force of the General Data Protection Regulation (GDPR), many companies processing the data of Europeans have faced the task of achieving the much desired GDPR-compliance. However, no one can say exactly what it is and what criteria of this compliance should be achieved to consider themselves “in compliance”. Of course, we do not have a clear answer to this question either, because GDPR-compliance is not an end point, but a process that aims to constantly update and improve the practices of working with personal data in the company, or, more simply, to build privacy as a culture. 

Not so long ago we told you about GDPR Certified Assurance Report-Based Processing Activities Certification Criteria (GDPR-CARPA): a certification, which was presented by the Luxembourg National Commission for Personal Data Protection (CNPD) in June 2022. And today we already have the opportunity to highlight the first case of the supervisory authority granting accreditation to certify other companies.

The first company that can issue GDPR certificates in the EU (Luxembourg) 

The first such company is the EY office (EY PFS Solutions) in Luxembourg, which can already issue certificates under the “GDPR-CARPA” mechanism during the accreditation period, which is 5 years now. Thanks to this GDPR certification model, companies, public authorities, associations and other organizations based in Luxembourg have the opportunity to demonstrate that their data processing activities comply with the GDPR rules.

The presence of such a certificate will not only indicate a high level of compliance with the rules of personal data processing, but will also serve as a demonstration of the high level of the company and will contribute to the fact that other companies will be ready to actively cooperate with it or adopt the experience of building a privacy program. It is worth noting that such certification does not cover all the processing processes and GDPR compliance of the company as a whole, so it is impossible to rely solely on it to comply with the requirements of personal data protection laws.

As we have previously noted in our articles, GDPR-CARPA cannot be used:

  • to certify the processing of personal data specifically intended for children under 16;
  • for certification of the processing activities of  joint controllers;
  • for processing personal data on criminal convictions and criminal offenses;
  • for organizations that have not appointed a Data Protection Officer (DPO).

Why do we need this? 

The introduction of a certification mechanism will contribute to the overall level of awareness and compliance with the GDPR, as well as improve transparency, allowing data subjects to have a better assessment of the degree of protection offered by the products, services, processes or systems used or offered by organizations that process their personal data. GDPR certification mechanisms can also be useful in commercial relationships between companies, for example, between a controller (joint controller) and its processor (sub-processor). Thus, participants will be able to benefit from an independent certificate from a third party to demonstrate that their data processing operations comply with European standards.

A unique feature of the certification mechanism introduced by the CNPD is that it is based on the ISAE 3000 Type 2 report, which allows issuing an opinion on the correct implementation of the control mechanism and the auditor is formally responsible for it. This guarantees a high level of confidence in the certification, which is a key factor in that all entities involved in the processing processes trust the auditor’s conclusions and thus build the credibility of the mentioned certificate. 

What aspects are not covered by certification? 

The certification mechanism does not reduce the responsibility of the controller or processor for data processing. In the case of an audit conducted by the CNPD, having a certification (with regular audits by a third party) can demonstrate the organization’s efforts to comply with the GDPR and potentially reduce the degree of scrutiny of the audit. Engaging a processor with GDPR certification can also help a controller demonstrate its compliance with Article 28 of the GDPR. Of course, certification can also become an aggravating factor in the event of enforcement action by the CNPD: for example, when the actual practices of the organization do not comply with the certification and the supervisory authority decides to apply sanctions. In any case, the certificate is not an indulgence and an opportunity to somehow neglect its obligations under the GDPR, so it is necessary to constantly monitor the processes related to personal data in the company in case of violations or non-compliance with the standards. 

What can you do now? 

As we can see, certification mechanisms have started to appear in the EU, and your company can already start preparing for their application. As soon as national authorities start to introduce more widespread and comprehensive mechanisms, your company will be much more ready for the GDPR audit and certification process by special bodies.

We think it is no secret that soon there will be many more accredited organizations that will be able to issue certificates and they will be located in all EU countries. Thus, the GDPR certificate can become the basis and an integral part of the effective business in the EU, because when most companies have such a certificate, few people will want to cooperate with a company without a certificate. They may consider it a risk for themselves! 

That is why, if you are already working with personal data of Europeans, or plan to enter the EU market in the near future – you should already think about how to comply with the requirements of European laws and not expose yourself to the risk of fines from supervisory authorities and simplify the path to the certificate. This process can start slowly: for example, with the development of declarative GDPR documentation, and then the compliance plan – in particular, by fully documenting the company’s internal processes in accordance with the requirements of the GDPR.

The Legal IT Group team can help you with this, be sure to send us an email or book a call in case you are interested. 


    Your question to IT lawyers