THE EPRIVACYCERT PRIVACY SEAL

CERTIFICATION PROGRAMME

(Currently in the accreditation process)

 

What is the purpose of a state-accredited data protection seal of approval? 

Obtaining the state-accredited ePrivacycert privacy seal (pursuant to Art. 42 GDPR) enables companies in the EU to demonstrate publicly that their data processing procedures comply with GDPR. Data protection seals also serve to fulfil any obligations of proof to supervisory authorities, as well as proof of the existence of the necessary guarantees for data transfers to third countries.

Certification with the ePrivacycert Privacy Seal is therefore the possibility to document compliance with GDPR via a state-accredited process.

 

On the way to the state data protection seal of approval.

At the end of 2021, the technical examination by the German Accreditation Body (DAkkS) was already passed. The positive feedback from the Hamburg Commissioner for Data Protection and Information Security (HmbBfDI) came at the beginning of 2022. This means that the second major hurdle on the way to accreditation has been made. The next step is getting confirmation from European Data Protection Authority (EDSA). Everything has been initiated by our expert team to proceed with the next steps. Auditing can soon be completed in cooperation with DAkkS and HmbBfDI.

 

Take advantage of the accredited ePrivacycert Privacy Seal:

 

  • Proof compliance with the rules of GDPR
  • Increase the reputation of your company in Germany and globally
  • Proof of the permissibility of data transfers to third party countries
  • Obtain the legal effects of Art. 42, 43 GDPR
  • Provide transparency of audit results through independent certification body
  • Show data protection compliance in market communication
  • Earn competitive advantages in the market
  • Demonstrate GDPR compliance of your product in pitches, tenders, to investors and other stakeholders.

 

Varies steps must be completed to obtain a certificate:

Phase A: Pre-Assessment (this can start immediately as of now)

We will have a kick-off meeting and discuss the next steps with you. Before the certification process, a pre-assessment  is mandatory to create prerequisites. This pre-assessment is comparable to ePrivacyseal (not governmentally accredited). 


DEFINITION

Joint goal setting of certification process

WORKSHOP

Product check, technical, organizational + legal requirements

OPTIMISATION

If necessary, technical product check, legal recertification

FINAL CHECK

Review by experts, if necessary, suggestions for improvement or conditions relevant to the quality seal

 

DONE!


The following topics are typically discussed during a pre-assessment:

 

1 Definition (together)

Company- and/or product-specific goal setting of the certification process.

 

2 Workshop

A product check is carried out by experienced experts within technical, organizational, and legal requirements. At this stage, state of the art and possible needs for adapting will be discussed.

 

3 Optimization (if necessary)

A technical tune-up of the product is carried out as well as a legal correction of contracts and consents. 

 

4 Final check 

A product check is carried out by professional experts according to the technical, organizational, and legal criteria of ePrivacyseal criteria catalogue. If necessary, recommendations are made for further improvements. The imposition of conditions that must be fulfilled to receive the seal of approval. Many companies use such a pre-assessment as a test. This test determines whether the strict requirements for certification with a data protection seal of approval in accordance with Article 42 of the GDPR can be met at all.

Phase B/ ePrivacycert: Certification (planned)

Once the pre-assessment has been successfully passed, the certification process begins.

OBJECT OF CERTIFICATION

Determination with lead auditor/project manager of the certification object, attachment of all evaluation documents

 

AUDIT

Current state analysis + evaluation, evaluation report + short report by auditor, publication on ePrivacycert website

 

RESULTS

Validation by head of certification body, evaluation of certifiability

 

DECISION

Certification decision by head of certification body, documentation, certificate valid for 3 years

 

AUTHORISATION

Certificate and seal of approval (with rights of use) are sent to the applicant

 

REVIEW+MONITORING

Procedure + certification agreement includes a 2-month, future review by auditors

 

DONE!

Object of certification

Within ePrivacycert, a lead auditor is first selected by the certification manager as project manager and contact person for your company with the corresponding certification mandate. This lead auditor determines the certification object of TOE (Target of Evaluation) program in collaboration with you. TOE refers to the processing of personal data (data processing operations), for example in digital products and services, resp. generally all data processing operations in which personal data are collected, stored, processed etc. according to Art. 4 DSGVO.

 

The Lead Auditor continues to create the evaluation documents and guides you and your company through the entire program. He supports you in summarizing your individual data processing steps in a data flow analysis.

 

A different source of documentation is a detailed questionnaire that you need to fill out.

Based on this information and the data flow analysis, the lead auditor records data processing operations.

 

The lead auditor then identifies data types to accurately capture and identify all data categories,

 

  • which data is processed
  • what purpose does the processing serves
  • where the data is stored locally
  • which storage period the respective data is subject to, or which deletion periods exist in this respect.

 

In the following step, the auditors record whether cookies are used for the product, what purpose they have, by whom cookie content is provided, how a cookie is structured, what lifetime it has and in which category it falls.

 

The aspect of third parties is then documented. Many companies, especially in the digital industry, often work with sub-service providers. All service providers and the associated processes are recorded in a table.

 

Finally, the protection requirement class is determined. For example, health-related data types lead to a higher protection needs than cookie IDs. 

 

Furthermore, the auditors jointly determine the investigation method for the respective criterion. For this purpose, the auditors can choose from a range of investigation methods, such as interview, technical audit, process audit etc.

 

2 Audit

Afterwards, the current-state analysis and evaluation begins: the audit. Therefore, auditors prepare the evaluation report.

Congruent with the previously determined test objects and the applied

determination method, the evaluation report is documented by both auditors based on the documents and information determined in the previous phases. In addition, the lead auditor prepares a short report to summarize the essential results. At the end, the short report is published on the website of ePrivacycert GmbH.

 

3 Results

In the next step, the head of the certification body will carry out the mandatory validation of the results found by the auditors. She/he is responsible for assessing the certifiability and is checking the results from the previous investigation phase for compliance with the certification requirements. If the responsible person concludes that the certificate is to be granted, this decision is documented by him. 

 

4 Decision

At the end, the head of the certification body makes the actual certification decision, which must be documented:

 

  • the granting of the certificate
  • a possible expansion
  • a limitation
  • the suspension or
  • the redemption of the certificate

 

The certificate is usually awarded for three years. The head of the certification body informs the applicant about the decision and initiates the publication of the certificate. 

 

Authorisation 

At the same time, the certificate is issued and sent to the applicant. The certificate is also published publicly on the website. Furthermore, the applicant is granted the rights to use the certificate and the quality seal.

 

Review + Monitoring

The certification agreement between ePrivacycert GmbH and the applicant, includes a future review of the results of the evaluation by the auditors. The review needs to be repeated two times within the certified cycle.