Certification Schemes: Processors
EuroPriSe’s certification scheme for processors has been designed specifically for processors within the meaning of Art. 4(8) GDPR. Any company that carries out processing operations as a processor within the meaning of the GDPR can apply for certification under this scheme.
The national accreditation body for Germany respectively the competent supervisory authority have approved the scheme, including the certification criteria prepared for it. The administrative procedures aimed at approval of the criteria by the European Data Protection Board (EDPB) for the entire European Union and accreditation as certification body for the scheme are already underway and will be completed in the near future.
Certification under this scheme is the perfect tool to demonstrate to your customers (controllers) that you provide sufficient guarantees as required by Art. 28(1) GDPR.
Certification Schemes for Processors
Learn more about:
Certification Criteria for Processors
- Requirements from a legal perspective
- Technical and organisational measures
- Rights of the data subjects
Approval on EU level is pending.
Download the EuroPriSe criteria for processors v3.0:
Valid since Oct. 7, 2022 (date of approval by the competent supervisory authority)
Gültig seit 07. Okt. 2022 (Datum der Genehmigung durch die zuständige Aufsichtsbehörde)
Certification Procedure
- specifies and documents the identified certification object (target of evaluation – ToE),
- performs a data protection specific risk analysis and documents the results, and
- conducts so-called maturity assessments and documents the results.
Training providers interested in training legal and technical data protection experts on how to conduct a maturity assessment are welcome to contact us about licensing:
The processor formally applies for certification and submits all relevant documents. If all requirements are met, the certification body approves the application.
The certification body concludes a certification agreement with the processor.
An evaluation team of the certification body carries out the legal and technical evaluation of the target of evaluation and documents the results in an evaluation report.
A review team of the certification body reviews all information and results related to the legal and technical evaluation (“four-eyes-principle”).
The certification body makes the certification decision. The decision is either “passed” or “failed”. The decision is “passed” if all certification requirements are met.
If the certification decision is passed, the certification body grants certification. It documents the certification in a certificate and adds information on the certification to a register on its website (certificate list). Certification is valid for three years. Recertification is possible.
The certification body carries out surveillance activities during the period of validity of a certification. It performs regular surveillance activities without cause once per calendar year, with the exception of years in which a recertification procedure is implemented. In addition, it conducts occasion-related surveillance activities in the event of any anomalies that give rise to fears of non-compliance with the certification requirements (e.g., if it receives a complaint about the certified processing operations).
Details of the procedure are regulated in a specific document (rules of procedures for processing operations by processors). This document is not publicly available.
Complaints and appeals
Appeal is a request by a certification customer to the certification body to reconsider a decision it has made regarding the object of certification.
Appeals are to be submitted by the certification customer (appellant) using a corresponding form on the website of the certification body (see below). The appellant will receive an automated acknowledgement of receipt after successfully submitting the appeal.
Upon receipt of an appeal, the certification body decides whether it is admissible (i.e., whether it relates to certification activities for which the certification body is responsible) and consequently whether it must be examined and decided on its substance. As a rule, it notifies the appellant of its decision within ten working days of receipt of the appeal.
The certification body ensures that the decision resolving the (admissible) appeal is made or reviewed and approved by persons who are not or have not been involved in the certification activities related to the appeal. These persons must meet the competence criteria established by the certification body for the appeals function.
To ensure that there is no conflict of interest, personnel of the certification body who have provided consultancy for a customer, or been employed by a customer, shall not be used by the certification body to review or approve the resolution of an appeal for that customer within two years following the end of the consultancy or employment.
The certification body is responsible for gathering and verifying all necessary information (as far as possible) to reach a decision on the appeal. If necessary, the certification body may request the appellant to clarify the subject of the appeal and to provide further relevant information. The duration of this phase (identification and verification of all relevant information) depends on the level of complexity of the appeal in question.
If the appeal is justified, the certification body takes any subsequent action needed to resolve the appeal.
The certification body gives formal notice of the outcome and the end of the appeal process to the appellant.
In the event of justified appeals, the certification body informs the competent data protection supervisory authority.
The certification body records and tracks appeals, as well as actions undertaken to resolve them.
Complaint is an expression of dissatisfaction with the activities of a certification body that awaits a response and, unlike an appeal, may be filed by any person or organisation.
Complaints are to be submitted by the complainant using a corresponding form on the website of the certification body (see below). The complainant will receive an automated acknowledgement of receipt after successfully submitting the complaint.
Upon receipt of a complaint, the certification body decides whether it is admissible (i.e., whether it relates to certification activities for which the certification body is responsible) and consequently whether it must be examined and decided on its substance. As a rule, it notifies the complainant of its decision within ten working days of receipt of the complaint.
The certification body ensures that the decision resolving the (admissible) complaint is made or reviewed and approved by persons who are not or have not been involved in the certification activities related to the complaint.
To ensure that there is no conflict of interest, personnel of the certification body who have provided consultancy for a customer, or been employed by a customer, shall not be used by the certification body to review or approve the resolution of a complaint for that customer within two years following the end of the consultancy or employment.
The certification body is responsible for gathering and verifying all necessary information (as far as possible) to reach a decision on the complaint. If necessary, the certification body may request the complainant to clarify the subject of the complaint and to provide further relevant information. The duration of this phase (identification and verification of all relevant information) depends on the level of complexity of the complaint in question.
If the complaint is justified, the certification body takes any subsequent action needed to resolve the complaint.
Whenever possible, the certification body gives formal notice of the outcome and the end of the complaint process to the complainant.
In the event of justified complaints, the certification body informs the competent data protection supervisory authority.
The certification body records and tracks complaints, as well as actions undertaken to resolve them.
