GDPR-CARPA stands for GDPR-Certified Assurance-Report based Processing Activities certification mechanism.
It is developed by the Commission Nationale pour la Protection des Données (the ‘CNPD’) in Luxembourg with the objective to provide the data controllers and/or data processors with a reasonable assurance that they have set up, implemented and that they are operating technical and organisational measures to comply with the GDPR for the processing activities in scope of the certification.
The GDPR-CARPA certification scheme is a voluntary process to assist controllers and/or processors in supporting their demonstration of compliance with the GDPR to other businesses, to a supervisory authority or to the data subjects, meaning that they demonstrated the existence and implementation of appropriate measures for the protection of personal data as required by the GDPR.
The assessment leading to the certification needs to be based on an assurance report that is to be executed according to the ISAE 3000 standard. The International Standard on Assurance Engagements (ISAE) has been developed by the International Auditing and Assurance Standards Board (IAASB) and deals with assurance engagements other than audits or reviews of historical financial information.
Grant Thornton Audit and Assurance as a certification body
Grant Thornton Audit and Assurance S.A., Luxembourg (“GTAA”) is accredited by the CNPD to be a certification body eligible to perform GDPR-CARPA certification assessments and issue GDPR certificates following the completion of an ISAE 3000 assurance engagements for the test of design and test of operational effectiveness.
GDPR-CARPA certification criteria
GTAA will perform the certification assessment against using the GDPR-CARPA criteria developed by the CNPD as a benchmark.
The CGPR-CARPA certification criteria as published by the supervisory authority could be consulted on the CNPD’s website.
Validity of the GDPR-CARPA certification
The initial GDPR certificate:
- Is valid for a period that equals the period covered by the ISAE 3000 assurance engagement (minimum 6 months, and maximum 1 year);
- Is valid from the date starting on the first day following the end of the period under review (Example: if the reviewed period was 1 January 2020 to 31 December 2020, the GDPR certificate is valid from 1 January 2021 through 31 December 2021)
A GDPR certificate could be renewed for up to 3 years, subject to:
- Every year (at the ISAE 3000 engagement anniversary) GTAA performs a new ISAE 3000 assurance engagement for the same scope of processing activities covered by the initial GDPR certificate;
- Each assurance audit ends up with a positive certification decision;
- Should any of the subsequent assurance audits from the maximum 3-year period end up with a negative decision, the GDPR certificate could be suspended, reduced, terminated or withdrawn.
Example: a GDPR certificate with a total validity of 3 years, period covered by the ISAE3000 assurance engagements is 12 months (starting 1 January).
For more information on how the certification procedure is organised, please consult the following documents:
- Certification evaluation procedure
- Rules and procedure for granting, maintaining, extending or reducing the scope of certifications, as well as their suspension, withdrawal or refusal
- Procedures for handling complaints and appeals about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor pursuant to Article 43(2) of the GDPR
- Description of the rights and duties of applicants and clients to the certification process, including requirements, restrictions or limitations on the use of the certification’s body’s name, and the CNPD’s certification mark and on the ways of referring to the certification granted
- A description of the means by which GTAA obtains financial support and general information on the fees charged to applicants and to clients
Directory of certified processing activities
Information on all GDPR-CARPA certifications issued by GTAA shall be made available in the directory of certified processing activities in the section below.
Executive summary of certification decision documentation for each certification decision made by GTAA shall be made available in the section below.
Disclaimer about the auditor’s responsibility
This GDPR-CARPA assurance engagement involves performing procedures to obtain evidence about the level of data protection compliance of the Client’s processing activities in scope. The evaluation procedures selected depend on the judgement of the practitioner, including the assessment of the risks of material misstatement of the processing operations.
Because of the test nature and other inherent limitations of the practitioner’s engagement, together with the inherent limitations of any control system, there is an unavoidable risk that even some material misstatements may remain undiscovered despite a reasonable conduct of the GDPR-CARPA assurance engagement and for which the practitioner may not be held liable in any circumstance.
The issued ISAE 3000 report and the GDPR-CARPA certification do not constitute assurance as to the future compliance of the Client with the applicable data protection laws after the period covered by the valid certification. The Practitioner is not liable for any loss or damage caused by, or arising from, any fraudulent acts, misrepresentation or willful default on the part of the Client, its managers, employees or agents.