Europrivacy Criteria

Europrivacy certification scheme has defined a whole set of detailed criteria that are fact-based to minimise the risk of subjectivity in assessing the conformity. All the criteria are maintained and kept updated by the European Centre for Certification and Privacy (ECCP) and its Europrivacy International Board of Experts.
A specific methodology and criteria format have been developed for this purpose.
The criteria cover in a comprehensive manner the European General Data Protection Regulation (GDPR) and, where applicable, complementary requirements, including:
- the identification of personal data processed, including the identification of any special categories of data if applicable;
- compliance with the requirements for the information on data processing provided to the data subjects, including:
- ease of access and understandability;
- clear purpose for the personal data collection;
- Data Controller’s privacy policy;
- data subject’ rights, including the right to access, to rectify or to erase personal data, to object to data processing, to request a restriction of such processing, to withdraw consent and to data portability;
- information on the Data Controller and, if applicable, on the Data Processors;
- lawfulness of processing and, where applicable, compliance with the “Prior Informed Consent” requirements, including a clear indication of the purpose for collecting data, or alternatively existence of other legal bases for processing personal data (such as a legal mandate given to a public administration);
- compliance with the requirements regarding minors of age;
- compliance with the principle of personal data minimisation by design and by default;
- compliance with the principle of transparency as specified by the GDPR, which requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used.
- the personal data flow analysis, including Data Processor and cross-border data transfer issues, ensuring that:
- personal data are adequately protected when transferred to a third country (e.g. on the basis of adequacy decisions, appropriate safeguards, etc.);
- appropriate safeguards are provided by Controllers or Processors not established in the EU to receive personal data from EU based organisations;
- the personal data life cycle and minimisation of the personal data retention periods;
- the effective implementation of the data subjects’ rights, including:
- the right to access, to rectify or to erase personal data;
- the right to object to data processing or to request a restriction of such processing;
- the right of the user to withdraw his/her consent;
- the right to data portability;
- the presence and conformity of indirect data collection, such as cookies and/or automated profiling;
- the implementation of suitable measures to safeguard the data subject's rights and freedoms and legitimate interests in the context of automated individual decision making;
- the security and effective protection and integrity of collected data, such as:
- use of backup solutions;
- use of firewalling and antivirus solutions;
- use of trustable access control mechanisms to the data (whether physically or remotely) defined around roles and responsibilities;
- use of trustable encryption protocols;
- use of trustable authentication mechanisms;
- use of a data protection by design approach;
- implementation by the Controller of appropriate technical and organisational measures to protect data, including:
- clear roles and responsibilities;
- designation of a Data Protection Officer (DPO) with:
- adequate qualification (ability);
- required autonomy of action and access to the direction;
- effectivity of action (demonstration of its activity and action);
- involvement in all issues relating to the protection of personal data;
- that any natural person acting under their authority does not process data except on the Controller's instructions;
- procedure to record all data breaches in an internal register and to inform supervisory bodies without undue delay/within 72hrs of becoming aware of any personal data breach (unless it is unlikely to result in a risk for the data subject);
- procedure to communicate personal data breach to the data subject(s) without undue delay, where breach likely to result in a high risk to the rights/freedoms of natural persons;
- where applicable, such as potentially risky data processing, the performed Data Protection Impact Assessment (DPIA) with the DPO, and the consultation of the supervisory authorities prior to processing data if a DPIA has indicated a high risk;
- that Controllers (and where applicable their representatives) maintain written records of processing activities;
- for Controllers not established in the EU, the obligation to designate in writing a representative established in one of the Member States;
- if Data Processors are being used, the procedures and agreement in place enabling the Controller to ensure their Processors provide sufficient guarantees to implement appropriate technical and organisational measures, including:
- the existence of a written contract and contractual obligations with all the Processors, covering the Data Processor’s obligations;
- that the Processor shall implement appropriate technical and organisational measures to ensure appropriate security of processing;
- that the Processor shall not engage with another Processor without prior written authorisation from the Controller;
- that the Processor shall not process personal data except on instructions from the Controller;
- that the Processor (and its representatives) shall cooperate with Supervisory Authorities;
- that the Processor shall ensure any natural person acting under their authority does not process data except on the Controller's instructions;
- that the Processor shall inform the Controller without undue delay after becoming aware of any personal data breach;
- that the Processor shall comply with conditions laid down in Chapter V of GDPR to ensure personal data is adequately protected when transferred to a third country;
- that the Processor shall be liable for the damage caused by non-compliant processing only where it has not complied with obligations of the GDPR specifically directed to Processors (see above) or where it has acted outside or contrary to lawful instructions of the Controller;
- Where included in the agreed Scope, complementary national and/or domain specific normative requirements and criteria.