European Union: European Data Protection Board publishes opinion on GDPR-CARPA certification scheme

On 2 February 2022, the European Data Protection Board (EDPB) published its first opinion regarding a national certification scheme. The opinion was published in response to a submission from the Supervisory Authority of Luxembourg on its General Data Protection Regulation Certified Assurance Report based on Processing Activities (GDPR-CARPA). The GDPR-CARPA represents a general scheme that contains specific requirements regarding data protection governance and criteria that have to be met by organisations that wish to act as processors and controllers in compliance with the GDPR. In its opinion, the EDPB outlined several changes to be implemented in the certification scheme. If adopted, the GDPR-CARPA will be included in the register of certification mechanisms and data protection seals in line with the GDPR.