Procedure on the description of the rights and duties of applicants and clients, including requirements, restrictions or limitations on the use of the certification body's name and the CNPD’s certification mark and on the ways of referring to the certification granted

Grant Thornton Audit and Assurance S.A., Luxembourg (“GTAA”) is responsible for and will retain authority for its decisions relating to certification, including the issuing, reviewing, renewing or withdrawing of certification.


Use of GTAA’s name, marks and logos and the data protection mark/seal of the national supervisory authority (hereinafter ‘Certification Marks’)

  • The Certification Marks can be used in a clear and transparent manner preventing any confusion or misleading communication about the scope of the certified processing activities.
  • The Certification Marks could only be used by clients incorporated in Luxembourg that are certified in accordance with the GDPR-CARPA criteria of the Commission Nationale de Protection des Données (the ’CNPD’).
  • Certified clients are authorised to use GTAA’s Certification Marks, as communicated by GTAA at the time of their valid certification and only with respect to the certified scope of processing activities. GTAA may link such authorisation to additional conditions.
  • The Certification Marks may not be altered in any way, except for alterations to their size. The client may use the Certification Marks in their entirety, without impacting the integrity of the images or related verbiage.
  • Certified clients have the right to display the Certification Marks in promotional material only if GTAA has agreed to this use in writing, throughout the validity and within the scope of the certification.
  • The Certification Marks may be used in letters and other documents to the extent that such documents relate to the certified processing activities and that GTAA has agreed to this use in writing. The same rules apply to the use of the Certification Marks in digital documents, such as websites.
  • When using the Certification Marks, it must be clear which activities do and which activities do not come under the scope of the certification. The certified client has the obligation to ensure that third parties are not misled through statements in advertisements, other promotional material or any other means. Additionally, the certified client has the obligation to ensure third parties are not confused regarding the recognition of the client as certified according to the respective certification standards pursuant to the certificate issued by GTAA.
  • When mentioning or otherwise referencing to the Certification Marks in any written or verbal form (including through electronic publication), certified clients will always mention that the data protection Certification Marks are:
    • Provided in the context of the GDPR-CARPA certification mechanism, approved by the CNPD in Luxembourg, and that
    • The certification audit was performed by GTAA.


Restrictions to the use of the Certification Marks:

  • The client is not allowed to use the Certification Marks for processing activities which for whatever reason are not part of the GDPR-CARPA certification scope. Certified clients may not assign, sublicense or otherwise transfer any rights to use the Certification Marks to any third party, and acknowledge and agree that any such attempted transfer would be void and unenforceable.
  • The client is not allowed to use the Certification Marks for its member firms, subsidiaries, or other corporate affiliates, that have not been part of the certification process and that are not subject to the certification decision of GTAA.  Upon termination of GTAA’s accreditation (for which GTAA will duly inform the certified client), the authorisation to use the Certification Marks will end.
  • The Certification Marks may only be used during that time where the certification is valid – upon temporary suspension, expiration or withdrawal of certification, the marks, logos and seals may not be used in any way and must be removed from any materials, websites, public or private pages of the client. Eventual reinstatement of the certification may renew the possibility to use the Certification Marks.


Control over the use of Certification Marks:

  • GTAA will be entitled to check the use of the certification marks and logos at any time against the rules laid down in this section and any additional conditions given at the time of certification. The certified client must render its co-operation in such checks. The following will qualify as misuse of the Certification Marks (whether found in documentation or other publicity):
    • The use of the Certification Marks by clients that do not have a permission or valid certification,
    • Incorrect references to the certification mechanism
    • Misleading use of certificates, seals or marks or any other mechanism for indicating that a processing activity is certified.
  • In the event of misuse, GTAA will take the measures available to it (depending on the nature of the misuse and the consequences), such as informing the CNPD and the public about the misuse, imposing corrective action to stop the misleading/wrong communication (thus removing the visibility of the Certification Marks), suspension or withdrawal of use of the data protection certificate, publication of the violation, or legal steps.
  • When the data protection certificate, mark and seal have not been used in compliance with the contract, legal proceedings might result in a court of law deciding what the corrective action will be.
  • In any instance of detected misuse, GTAA contacts the client as soon as reasonably possible. In case of corrective action, GTAA will also send to the client a registered letter (or equivalent) with a copy sent to the CNPD. This notification contains:
    • The reasons for the corrective action,
    • The actions to be taken by the client to resolve the issue, and
    • A request for a statement from the client formalising the engagement to perform the actions to be taken to ensure that the data protection certificate, mark or seal is not applied to any ineligible processing activities.


Any questions with respect to this procedure should be addressed to:

Hugues Wangen
Partner, Audit & Assurance
Hugues Wangen