The CNPD adopts the certification mechanism GDPR-CARPA

27 June 2022

Luxembourg becomes the first country to introduce a certification mechanism according to the GDPR criteria.

The National Data Protection Commission (CNPD) has adopted its certification mechanism GDPR-CARPA on 13th May 2022. GDPR-CARPA is the first certification mechanism to be adopted on a national and international level under the GDPR (General Data Protection Regulation).

A launching conference will take place on 28th June 2022 at 14h00. More information on the conference is available on the CNPD website


Certification in personal data protection

Companies, public authorities, associations and other organizations established in Luxembourg now have the possibility to demonstrate that their data processing activities comply with the GDPR. GDPR-CARPA hence offers a high level of compliance to the regulation to controllers and processors for their data processing activities covered by the certification.

The implementation of a certification mechanism can promote transparency and compliance to the GDPR, and allow data subjects to better gauge the degree of protection offered by products, services, processes or systems used or offered by the organizations that process their personal data. The GDPR certification mechanism does not certify an organization but rather specific processing operations.


GDPR-CARPA: the first certification mechanism under the GDPR

To date the CNPD is the only European supervisory authority to have developed a GDPR certification mechanism. As the entity that has developed theses certification criteria, the CNPD is the owner of the certification mechanism.

The numerous exchanges the CNPD has had with audit professionals since the GDPR came into effect in 2018 has helped to determine the value of, as well as the type of GDPR certification that could be useful in the Luxembourgish ecosystem. In concertation with these actors, the CNPD developed a first version of its certification mechanism. Thereafter, the other European data protection authorities have examined these criteria under the consistency mechanism and the European Data Protection Board (EDPB) then issued its formal opinion on GDPR-CARPA.

On the European level, the CNPD has been a driving force behind the progress made by the EDPB in the field of certification, notably as rapporteur for the adopted guidance or as a help to the EDPB in issuing formal opinions on this novel subject.


Unique feature of the GDPR-CARPA certification mechanism

In Luxembourg, the CNPD accredits the entities that will issue the GDPR certification. The accreditation criteria for these certification bodies developed by the CNPD, in regards to GDPR-CARPA, are based on ISAE 3000 (audit), ISCQ1 (quality control of auditing organizations) and ISO 17065 (licensing of certification entities). These accreditation criteria frame the work done by the certification entity and the professional auditors.

The unique feature of the CNPD certification mechanism is the fact that it is based on a ISAE 3000 Type 2 report that allows for the issuing of an opinion on the correct implementation of the control mechanism, while the auditor is formally held responsible.

This guarantees a high level of confidence, a key factor in having the relevant actors and most of all the data subjects to build trust in the processing of personal data covered by the certification scheme.


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.