1. Home
  2. Organisations
  3. Certification – Accreditation
  4. Submit a request for approval of certification criteria to the HDPA
  5. Submit a request for approval of certification criteria to the HDPA

Submit a request for approval of certification criteria to the HDPA

The certification scheme owner [1] may submit a request to the HDPA for approval of certification criteria under Article 42(5) and Article 43(2)(b) GDPR. The request can be submitted electronically by filling in the relevant electronic form, in general after logging in to the HDPA online portal by using the taxisnet credentials or −exceptionally− by e-mail (if for any documented reason logging in as mentioned above is not possible).

Logging in to the HDPA online portal by using the taxisnet credentials is performed by a certification scheme owner with an establishment in Greece who has the credentials in question. Relevant information on logging in and submitting a request for approval of certification criteria in Greek is available here.

Please note that in case the certification scheme owner is also a certification body that intends to submit a request for accreditation to the National Accreditation System (ESYD) in relation to the operation of the certification scheme, accreditation will not be granted until final approval is given by the HDPA for the certification criteria.

In case the certification scheme owner does not have taxisnet credentials to log in to the HDPA online portal, he/she may submit the request for approval of certification criteria in English by e-mail.

In this case, please follow the steps outlined below:

  1. Fill in all required fields in the following controller/processor/body request form.

Controller/processor/body application form (docx / pdf).

 

  1. Fill in the category of request in the above form by clicking on ”3.Approval of certification criteria (Art. 42(5)).”
  2. Send an e-mail to contact@dpa.gr with subject “Submit a request for approval of certification criteria to the HDPA”, attaching the following:
    1. The above form filled in.
    2. One or more files (preferably in word format) that include the certification criteria submitted for approval.
      In case a request for approval by the European Data Protection Board (EDPB) of criteria relating to a European Data Protection Seal is submitted through the HDPA as the competent supervisory authority, the certification scheme owner must clearly state his/her intention to use the joint certification criteria as the basis for a certification mechanism addressed to controllers and processors in all Member States.
    3. One or more files (preferably in word format) that clearly describe and explain that account has been taken of each question set out in the list of questions mentioned below, which is provided for in EDPB Guidelines 1/2018.
    4. An outline of the reasons that have led to submitting the request for approval of certification criteria in this way rather than through the HDPA online portal.

List of questions to be taken into account in adopting certification criteria (based on EDPB Guidelines 1/2018)

The following questions must be taken into account by certification scheme owners and certification bodies wishing to adopt criteria and submit them for approval. The list is not exhaustive, but sets out the key issues to be considered. Justification of the reasons for which the certification criteria do not cover specific aspects of these questions may be needed.

The file of the application for approval of certification criteria submitted to the HDPA by the certification scheme owner concerned must also contain a detailed table in relation to each one of the following questions, as well as the specific parts of the documents included in the file where relevant replies are given. In addition, failure to reply in whole or in part must be justified, as mentioned above. 

Scope of the certification mechanism and objective of the evaluation

 

  1. Is the scope of the certification mechanism (for which data protection criteria will be used) clearly described?
  2. Is the scope of the certification mechanism useful, and not misleading, for the intended audience?
  3. Does the scope of the certification mechanism reflect all relevant aspects of processing operations?
  4. Does the scope of the certification mechanism make it possible to provide meaningful data protection certification, taking into account the nature, content, and risk of relevant processing operations?
  5. Does the scope of the certification mechanism cover personal data processing in the relevant country of implementation or does it cover cross-border processing and/or data transfers?
  6. Do the certification criteria include an adequate description of the way in which the objective of the evaluation should be defined?
    • Do the criteria require that the objective of the evaluation should involve identifying all relevant processing operations, displaying data flows and specifying the area of application for the objective of the evaluation?
    • Do the criteria require the applicant to make it clear where the processing which is subject to evaluation begins and where it ends? Do the criteria require that interfaces should be included in the objective of the evaluation in which interdependent processing operations are not included as part of the objective of the evaluation? Is justification for this requirement satisfactory?
  7. Do the criteria guarantee that the (individual) objectives of the evaluation are understood by the intended audience, including data subjects, where relevant?

 

General requirements

 

  1. Are all relevant terms used in the index of criteria (i.e. the set of certification criteria) specified, explained and described?
  2. Are all normative references specified?
  3. Do the criteria include the definition of responsibilities, procedures and processing for the protection of data covered by the scope of the certification mechanism?

 

Processing operation, Article 42(1) GDPR

 

With regard to the scope of the certification mechanism (general or specific), do the criteria cover all relevant details of processing operations (data, systems and procedures)?

  1. Do the criteria require that valid legal bases for processing should be specified in relation to the objective of the evaluation?
  2. With regard to the objective of the evaluation, do the criteria recognise the relevant stages of processing, and the full life cycle of data, including their erasure and/or anonymisation?
  3. With regard to the objective of the evaluation, do the criteria require data portability?
  4. With regard to the objective of the evaluation, do the criteria make it possible to identify and standardise specific types of processing operations, e.g. automated decision-making or profiling?
  5. With regard to the objective of the evaluation, do the criteria make it possible to specify special categories of data?
  6. Do the criteria make it possible, and require, to assess on the one hand the risk of individual processing operations, and on the other the needs to protect the rights and freedoms of data subjects?
  7. Do the criteria make it possible, and require, to take sufficient account of the risks to the rights and freedoms of natural persons?

 

Lawfulness of processing

 

  1. Do the criteria require that the lawfulness of processing for individual processing operations should be monitored in terms of the purpose and necessity of the processing?
  2. Do the criteria require that all the requirements of a legal basis for individual processing operations should be monitored?

 

Principles, Article 5 GDPR

 

  1. Do the criteria adequately cover all data protection principles set out in Article 5?
  2. Do the criteria require that data minimisation for individual objectives of the evaluation should be demonstrated?

 

General obligations of controllers and processors

 

  1. Do the criteria require evidence for contractual agreements between processors and controllers?
  2. Are agreements between controllers and processors subject to evaluation?
  3. Do the criteria reflect the controller’s obligations under Chapter IV?
  4. Do the criteria require evidence of the review and updating of technical and organisational measures applied by the controller under Article 24(1)?
  5. Do the criteria verify that the body has assessed whether a Data Protection Officer (DPO) should be appointed, as required in Article 37? If there is a DPO, are the requirements set out in Articles 37 to 39 met?
  6. Do the criteria verify that records of processing activities are required in accordance with Article 30(5), and that the requirements set out in Article 30 are properly met?

 

Rights of the data subjects

 

  1. Do the criteria adequately examine the data subject's right to be informed, and do they require that respective measures should be applied?
  2. Do the criteria require that data subjects should have adequate or even greater access to and control of their data, including data portability?
  3. Do the criteria require that measures should be taken that allow for interference in the processing procedure so that the rights of data subjects are ensured, and rectifications, erasure or restrictions are allowed?

 

Risks to the rights and freedoms of natural persons

 

  1. Do the criteria make it possible, and require, to assess the risk to the rights and freedoms of natural persons?
  2. Do the criteria allow for, or require, a recognised risk assessment methodology? If so, is this methodology appropriate?
  3. Do the criteria make it possible, and require, to carry out an impact assessment of the envisaged processing operations on the rights and freedoms of natural persons?
  4. Do the criteria require prior consultation with regard to residual risks that could not be mitigated based on the results of the data protection impact assessment (DPIA)?

 

Technical and organisational measures

 

  1. Do the criteria require that technical and organisational measures should be applied to ensure the confidentiality of processing operations?
  2. Do the criteria require that technical and organisational measures should be applied to ensure the integrity of processing operations?
  3. Do the criteria require that technical and organisational measures should be applied to ensure the availability of processing operations?
  4. Do the criteria require that measures should be applied to ensure the transparency of processing operations with regard to
    • accountability?
    • the rights of data subjects?
    • the evaluation of individual processing operations, e.g. for algorithmic transparency?
  5. Do the criteria require that technical and organisational measures should be applied to ensure the rights of data subjects, e.g. the ability to provide information or data portability?
  6. Do the criteria require that technical and organisational measures should be applied that allow for interference in the processing operation so that the rights of data subjects are ensured, and rectifications, erasure or restrictions are allowed?
  7. Do the criteria require that measures should be applied that allow for interference in the processing operation in order to fill gaps or monitor the system or the process?
  8. Do the criteria require that technical and organisational measures should be applied to ensure data minimisation, such as, for example, dissociation or separation of data from the data subject, anonymisation or pseudonymisaion, or isolation of data systems?
  9. Do the criteria require that technical measures should be taken to apply the principle of data protection by default?
  10. Do the criteria require that technical and organisational measures should be taken to apply the principle of data protection by design, e.g. a data protection management system for demonstrating, updating, monitoring and imposing data protection requirements?
  11. Do the criteria require that technical and organisational measures should be taken to provide appropriate regular training and education to the staff that have permanent or regular access to personal data?
  12. Do the criteria require review of the measures?
  13. Do the criteria require self-evaluation/internal monitoring?
  14. Do the criteria require that measures should be taken to ensure that the duty to notify a data breach is performed in due course and with the appropriate scope?
  15. Do the criteria require that data breach management procedures should be implemented and verified?
  16. Do the criteria require that ongoing issues of privacy and technology should be followed, and that the system should be updated as necessary?

 

Other data protection-friendly aspects

 

  1. Do the criteria require that techniques should be put in place to improve data protection? You could include here criteria that require enhanced data protection by eliminating or restricting personal data and/or the risk to data protection.
  2. Do the criteria require that enhanced monitoring of data subjects should be put in place to facilitate self-determination and choice?

 

Additional criteria for the European Data Protection Seal

 

  1. Do the criteria allow for coverage of all Member States?
  2. Can the criteria take into account the legislation of Member States on data protection, or scenarios in this respect?
  3. Do the criteria require an assessment of individual objectives of the evaluation in relation to the specific sectoral legislation of Member States on data protection?
  4. Do the criteria require the controller or processor to provide information to data subjects and interested parties in the languages of the Member States
    • about processing/the objectives of the evaluation?
    • about the documentation of the processing/the objectives of the evaluation?
    • about the results of the evaluation?

 

Overall evaluation of the criteria

 

  1. Do the criteria cover the full scope of the certification mechanism (i.e. comprehensive criteria) in order to provide adequate safeguards with a view to making certification reliable?
  2. Are the criteria appropriate for the size of the processing operation addressed by the scope of the certification mechanism, the sensitivity of information and the risk of processing?
  3. Is it likely that the criteria will improve data protection compliance by controllers and processors?
  4. Will data subjects benefit in relation to their rights to be informed, including an explanation of the intended results to the data subjects?

 

[1] Under Article 3.11 of ISO/IEC 17065, the certification scheme owner may be the certification body itself, a group of certification bodies, a public authority, a commercial association or other bodies.

We use the cookies that are necessary to maintain your connection to the online services of the HDPA’s Portal and to store your preferences in relation to optional cookies (“Necessary”).
Only with your consent we will use any of the following optional cookies you select (“Analytics”, “LinkedIn”, “Twitter”). You can see information on each cookie category by passing the cursor over each option.