Site Search

Loading Results

News - Certification mechanism "GDPR-CARPA" in Luxembourg goes live.

The CNPD announced on the 8th June 2022 the adoption of its certification mechanism GDPR-CARPA.

What is "GDPR-CARPA"?

"GDPR-CARPA" is the first (and, so far, only) certification mechanism to be adopted on a national and international level under the General Data Protection Regulation ("GDPR").

The certification mechanism has been drafted by the Luxembourg data protection authority (the "CNPD") and has been reviewed by the European Data Protection Board ("EDPB") who gave its opinion.

What is the aim of such certification?

The certification is expressly mentioned in the GDPR and is designed to provide data controllers and processors with a high level of GDPR compliance and assurance that they apply technical and organizational measures to comply with their GDPR obligations. 

GDPR-CARPA does not certify the security of processing within its scope, but rather focuses on the responsibility of controllers/processors who must implement a governance system allowing them to define and implement information security management measures for the processing activity within its scope.

In short, certification helps to demonstrate that controllers and processors’ processing operations comply with GDPR requirements based on good governance practices.

What can be certified?

Only data processing operations can be certified (e.g. a company could certify a data processing operation linked to the products/services it is selling).

Only data controllers and processors established in Luxembourg, under the supervision of the CNPD, can request GDPR-CARPA certification.

What are the criteria to be certified?

This is the core of the GDPR-CARPA certification. It contains certification criteria that must be met by an organisation wishing to have some of its data processing operations certified.

How long is a GDPR-CARPA certificate valid for?

A certificate is valid for 3 years (renewable), subject to a successful annual full audit.

Interested to have more information and see how we can assist?

Do not hesitate to contact our team if you want to have more information on the certification mechanism and how we can assist.

The CNPD is also organising a launching conference that will take place on the 28th June 2022 (more information here). 

Contact us

Audrey Rustichelli

Deputy Managing Partner, Avocat à la Cour au Barreau de Luxembourg, PwC Legal

Tel: +352 26 48 42 35 98

Linkedin Follow Email

Nicolas Hamblenne

Counsel, Avocat à la Cour au barreau de Luxembourg, PwC Legal

Tel: +352 26 48 42 35 58

Linkedin Follow Email
Follow us
About us Expertise Our team Media Centre Careers Reach us

© 2019 - 2024 PwC. All rights reserved. “PwC Legal” refers to PwC Legal, SARL, an independent law firm registered at the Luxembourg Bar, member of the PwC Network. PwC Legal is a member firm of PricewaterhouseCoopers International Limited («PwC IL»), each member firm of which is a separate legal entity. Please see www.pwc.com/structure for further details.