THE EPRIVACYCERT PRIVACY SEAL

CERTIFICATION PROGRAMME

(Currently in the accreditation process)

What is the purpose of a state-accredited data protection seal of approval? 

Obtaining the state-accredited ePrivacycert privacy seal (pursuant to Art. 42 GDPR) enables companies in the EU to demonstrate publicly that their data processing procedures comply with GDPR. Data protection seals also serve to fulfil any obligations of proof to supervisory authorities, as well as proof of the existence of the necessary guarantees for data transfers to third countries.

Certification with the ePrivacycert Privacy Seal is therefore the possibility to document compliance with GDPR via a state-accredited process.

On the way to the state data protection seal of approval.

At the end of 2021, the technical examination by the German Accreditation Body (DAkkS) was already passed. The positive feedback from the Hamburg Commissioner for Data Protection and Information Security (HmbBfDI) came at the beginning of 2022. This means that the second major hurdle on the way to accreditation has been made. The next step is getting confirmation from European Data Protection Authority (EDSA). Everything has been initiated by our expert team to proceed with the next steps. Auditing can soon be completed in cooperation with DAkkS and HmbBfDI.

Take advantage of the accredited ePrivacycert Privacy Seal:

• Proof compliance with the rules of GDPR
• Increase the reputation of your company in Germany and globally
• Proof of the permissibility of data transfers to third party countries
• Obtain the legal effects of Art. 42, 43 GDPR
• Provide transparency of audit results through independent certification body
• Show data protection compliance in market communication
• Earn competitive advantages in the market
• Demonstrate GDPR compliance of your product in pitches, tenders, to investors and other stakeholders.

1 Object of certification

Within ePrivacycert, a lead auditor is first selected by the certification manager as project manager and contact person for your company with the corresponding certification mandate. This lead auditor determines the certification object of TOE (Target of Evaluation) program in collaboration with you. TOE refers to the processing of personal data (data processing operations), for example in digital products and services, resp. generally all data processing operations in which personal data are collected, stored, processed etc. according to Art. 4 DSGVO.

The Lead Auditor continues to create the evaluation documents and guides you and your company through the entire program. He supports you in summarizing your individual data processing steps in a data flow analysis.

A different source of documentation is a detailed questionnaire that you need to fill out.

Based on this information and the data flow analysis, the lead auditor records data processing operations.

The lead auditor then identifies data types to accurately capture and identify all data categories,

• which data is processed
• what purpose does the processing serves
• where the data is stored locally
• which storage period the respective data is subject to, or which deletion periods exist in this respect.

In the following step, the auditors record whether cookies are used for the product, what purpose they have, by whom cookie content is provided, how a cookie is structured, what lifetime it has and in which category it falls.

The aspect of third parties is then documented. Many companies, especially in the digital industry, often work with sub-service providers. All service providers and the associated processes are recorded in a table.

Finally, the protection requirement class is determined. For example, health-related data types lead to a higher protection needs than cookie IDs. 

Furthermore, the auditors jointly determine the investigation method for the respective criterion. For this purpose, the auditors can choose from a range of investigation methods, such as interview, technical audit, process audit etc.

2 Evaluation

Afterwards, the current-state analysis and evaluation begins: the audit. Therefore, auditors prepare the evaluation report.

Congruent with the previously determined test objects and the applied

determination method, the evaluation report is documented by both auditors based on the documents and information determined in the previous phases. In addition, the lead auditor prepares a short report to summarize the essential results. At the end, the short report is published on the website of ePrivacycert GmbH.

3 Results

In the next step, the head of the certification body will carry out the mandatory validation of the results found by the auditors. She/he is responsible for assessing the certifiability and is checking the results from the previous investigation phase for compliance with the certification requirements. If the responsible person concludes that the certificate is to be granted, this decision is documented by him. 

4 Decision

At the end, the head of the certification body makes the actual certification decision, which must be documented:

• the granting of the certificate
• a possible expansion
• a limitation
• the suspension or
• the redemption of the certificate

The certificate is usually awarded for three years. The head of the certification body informs the applicant about the decision and initiates the publication of the certificate. 

5 Authorisation 

At the same time, the certificate is issued and sent to the applicant. The certificate is also published publicly on the website. Furthermore, the applicant is granted the rights to use the certificate and the quality seal.

6 Review + Monitoring

The certification agreement between ePrivacycert GmbH and the applicant, includes a future review of the results of the evaluation by the auditors. The review needs to be repeated two times within the certified cycle.