Scheme for IT Products and IT based Services
“Certification of IT products and IT-based services according to EuroPriSe”. Any manufacturer or vendor of an IT product as well as any organisation carrying out IT-based processing operations as a controller within the meaning of the GDPR can apply for certification under this scheme.
Manufacturers and vendors of IT products and providers of IT-based services can have their products and services certified according to this scheme.
Currently, the scheme covers the following scenarios:
- Certification of IT products that are meant to be used by a multitude of buyers: In this scenario, the product itself (e.g., a piece of software) forms the target of evaluation, whereas any concrete use of the product by any customer is out of scope. A product may be awarded the EuroPriSe seal if it facilitates its privacy-compliant use by means of privacy-friendly default settings, meaningful documentation etc.;
- Certification of IT based services with service providers being controllers in the meaning of Article 4(7) GDPR: In this scenario, the service (e.g., an internet search engine) as it is made available by the service provider forms the target of evaluation. It may be awarded the EuroPriSe seal if all data processing that is related to the provision of the service is in line with EU data protection law.
Note that this certification scheme does not qualify as an approved certification mechanism in the meaning of Art. 42 f. GDPR. IT products as such are generally not covered by the scope of application of Art. 42 f. GDPR.
Frequently Asked Questions
IT products suitable for certification are products which are meant to be used by a multitude of customers (buyers) and which use results in the IT-based processing of personal data.
Basically, the following types of IT products are to be distinguished:
- Hardware products such as a hardware firewall or an external hard disk which provides for proper encryption of data); and
- Software products such as a database application, a software module for the obfuscation of video data or an age verification module to be used with cigarette vending machines. The meaning of the notion software products includes mobile apps. However, software that is provided as software as a service (SaaS) qualifies – in total – as an IT based service rather than as an IT product.
Services suitable for certification are services that are provided with the assistance of information technology. Services may be provided free of charge or be subject to remuneration. In terms of information technology used, services may be provided “offline” or require a connection to the Internet. Typical examples for the latter ones would be web-based services such as online banking services, search engines or services, which consist of the hosting of mail servers by data centres. A special subset of web-based services suitable for certification are cloud-based services such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service) or SaaS (Software as a Service). The meaning of the notion IT-based service includes services related to Big Data and the Internet of Things (IoT).
The EuroPriSe Criteria for IT products and IT-based services consist of the following four sets: