Certification Schemes: Processors
EuroPriSe’s certification scheme for processors has been designed specifically for processors within the meaning of Art. 4(8) GDPR. Any company that carries out processing operations as a processor within the meaning of the GDPR can apply for certification under this scheme.
The national accreditation body for Germany respectively the competent supervisory authority have approved the scheme, including the certification criteria prepared for it. The administrative procedures aimed at approval of the criteria by the European Data Protection Board (EDPB) for the entire European Union and accreditation as certification body for the scheme are already underway and will be completed in the near future.
Certification under this scheme is the perfect tool to demonstrate to your customers (controllers) that you provide sufficient guarantees as required by Art. 28(1) GDPR.
Certification Schemes for Processors
Learn more about:
Certification Criteria for Processors
- Requirements from a legal perspective
- Technical and organisational measures
- Rights of the data subjects
Download the EuroPriSe criteria for processors v3.0:
Valid since Oct. 7, 2022 (date of approval by the competent supervisory authority)
Gültig seit 07. Okt. 2022 (Datum der Genehmigung durch die zuständige Aufsichtsbehörde)
Certification Procedure
- specifies and documents the identified certification object (target of evaluation – ToE),
- performs a data protection specific risk analysis and documents the results, and
- conducts so-called maturity assessments and documents the results.
The processor formally applies for certification and submits all relevant documents. If all requirements are met, the certification body approves the application.
The certification body concludes a certification agreement with the processor.
An evaluation team of the certification body carries out the legal and technical evaluation of the target of evaluation and documents the results in an evaluation report.
A review team of the certification body reviews all information and results related to the legal and technical evaluation (“four-eyes-principle”).
The certification body makes the certification decision. The decision is either “passed” or “failed”. The decision is “passed” if all certification requirements are met.
If the certification decision is passed, the certification body grants certification. It documents the certification in a certificate and adds information on the certification to a register on its website (certificate list). Certification is valid for three years. Recertification is possible.
The certification body carries out surveillance activities during the period of validity of a certification. It performs regular surveillance activities without cause once per calendar year, with the exception of years in which a recertification procedure is implemented. In addition, it conducts occasion-related surveillance activities in the event of any anomalies that give rise to fears of non-compliance with the certification requirements (e.g., if it receives a complaint about the certified processing operations).
Details of the procedure are regulated in a specific document (rules of procedures for processing operations by processors). This document is not publicly available.
Complaints and appeals
Appeal is the request of the certification customer to review a decision made by the certification body with regard to the customer’s (sought) certification status.
Complaint is an expression of dissatisfaction with the activities of a certification body that awaits a response and, unlike an appeal, may be filed by any person or organisation.
For linguistic simplification and better readability, only the term “complaint” will be used below.
Complaints are to be submitted by means of a corresponding form on the website of the certification body. The complainant receives an automated acknowledgement of receipt after successfully submitting the complaint.
Upon receipt of a complaint, the certification body decides whether it is admissible (i.e., whether it relates to certification activities for which the certification body is responsible) and consequently whether it must be examined and decided on its substance. As a rule, it notifies the complainant of its decision within ten working days of receipt of the complaint.
The certification body is responsible for gathering and verifying all necessary information (as far as possible) to reach a decision on the complaint. If necessary, the certification body may request the complainant to clarify the subject of the complaint and to provide further relevant information. The duration of this phase (identification and verification of all relevant information) depends on the level of complexity of the complaint in question.
The certification body ensures that the decision resolving the complaint is made or reviewed and approved by persons who are not or have not been involved in the certification activities related to the complaint.
To ensure that there is no conflict of interest, personnel of the certification body who have provided consultancy for a customer, or been employed by a customer, shall not be used by the certification body to review or approve the resolution of a complaint for that customer within two years following the end of the consultancy or employment.
Whenever possible, the certification body gives formal notice of the outcome and the end of the complaint process to the complainant.
The certification body takes any subsequent action needed to resolve the complaint.
The certification body records and tracks complaints, as well as actions undertaken to resolve them. In the event of justified complaints, the certification body informs the competent data protection supervisory authority.
