GDPR-CARPA stands for GDPR-Certified Assurance-Report based Processing Activities certification mechanism.

It is developed by the Commission Nationale pour la Protection des Données (the ‘CNPD’) in Luxembourg with the objective to provide the data controllers and/or data processors with a reasonable assurance that they have set up, implemented and that they are operating technical and organisational measures to comply with the GDPR for the processing activities in scope of the certification.

The GDPR-CARPA certification scheme is a voluntary process to assist controllers and/or processors in supporting their demonstration of compliance with the GDPR to other businesses, to a supervisory authority or to the data subjects, meaning that they demonstrated the existence and implementation of appropriate measures for the protection of personal data as required by the GDPR.

The assessment leading to the certification needs to be based on an assurance report that is to be executed according to the ISAE 3000 standard. The International Standard on Assurance Engagements (ISAE) has been developed by the International Auditing and Assurance Standards Board (IAASB) and deals with assurance engagements other than audits or reviews of historical financial information.


Grant Thornton Audit and Assurance as a certification body

Grant Thornton Audit and Assurance S.A., Luxembourg (“GTAA”) is accredited by the CNPD to be a certification body eligible to perform GDPR-CARPA certification assessments and issue GDPR certificates following the completion of an ISAE 3000 assurance engagements for the test of design and test of operational effectiveness.


GDPR-CARPA certification criteria

GTAA will perform the certification assessment against using the GDPR-CARPA criteria developed by the CNPD as a benchmark.

The CGPR-CARPA certification criteria as published by the supervisory authority could be consulted on the CNPD’s website.


Validity of the GDPR-CARPA certification

The initial GDPR certificate:

  • Is valid for a period that equals the period covered by the ISAE 3000 assurance engagement (minimum 6 months, and maximum 1 year);
  • Is valid from the date starting on the first day following the end of the period under review (Example: if the reviewed period was 1 January 2020 to 31 December 2020, the GDPR certificate is valid from 1 January 2021 through 31 December 2021)

A GDPR certificate could be renewed for up to 3 years, subject to:

  • Every year (at the ISAE 3000 engagement anniversary) GTAA performs a new ISAE 3000 assurance engagement for the same scope of processing activities covered by the initial GDPR certificate;
  • Each assurance audit ends up with a positive certification decision;
  • Should any of the subsequent assurance audits from the maximum 3-year period end up with a negative decision, the GDPR certificate could be suspended, reduced, terminated or withdrawn.

Example: a GDPR certificate with a total validity of 3 years, period covered by the ISAE3000 assurance engagements is 12 months (starting 1 January).


Certification procedure

For more information on how the certification procedure is organised, please consult the following documents:


Directory of certified processing activities

Information on all GDPR-CARPA certifications issued by GTAA shall be made available in the directory of certified processing activities in the section below.

Executive summary of certification decision documentation for each certification decision made by GTAA shall be made available in the section below.


Disclaimer about the auditor’s responsibility

This GDPR-CARPA assurance engagement involves performing procedures to obtain evidence about the level of data protection compliance of the Client’s processing activities in scope. The evaluation procedures selected depend on the judgement of the practitioner, including the assessment of the risks of material misstatement of the processing operations.

Because of the test nature and other inherent limitations of the practitioner’s engagement, together with the inherent limitations of any control system, there is an unavoidable risk that even some material misstatements may remain undiscovered despite a reasonable conduct of the GDPR-CARPA assurance engagement and for which the practitioner may not be held liable in any circumstance.

The issued ISAE 3000 report and the GDPR-CARPA certification do not constitute assurance as to the future compliance of the Client with the applicable data protection laws after the period covered by the valid certification. The Practitioner is not liable for any loss or damage caused by, or arising from, any fraudulent acts, misrepresentation or willful default on the part of the Client, its managers, employees or agents.

Our GDPR-CARPA Certification Process

GDPR-CARPA Rights and duties for applicants

GDPR-CARPA Certification: Learn more about the procedure on the description of the rights and duties of applicants and clients

GDPR-CARPA Complaints and Appeals

GDPR-CARPA Certification: Learn more about the procedure on the filing of formal appeals and complaints with regards to the certification evaluation process

GDPR-CARPA Financial sources and fees

GDPR-CARPA Certification: Learn more about the financial sources and fees of Grant Thornton Audit & Assurance

GDPR-CARPA Evaluation approach

GDPR-CARPA Certification: Learn more about the step-by-step approach defined by Grant Thornton Audit & Assurance

Granting, validity, monitoring, renewal, suspension and withdrawal

Learn more about Grant Thornton Audit & Assurance issuance, review, renewal or withdrawal of GDPR certification against the GDPR-CARPA criteria approved by the Commission Nationale pour la Protection des Données (CNPD)

Hugues Wangen
Partner, Audit & Assurance
Hugues Wangen