Grant Thornton Audit and Assurance S.A., Luxembourg (“GTAA”) is responsible for and will retain authority for its decisions relating to certification, including the issuance, review, renewal or withdrawal of GDPR certification against the GDPR-CARPA criteria approved by the Commission Nationale pour la Protection des Données (the ‘CNPD’).

 

Granting a GDPR-CARPA certificate

The certification decision is taken after considering the information related to the evaluation (the fieldwork and its conclusions), its quality review and the issuance of the audit report. The certification decision in based on the evaluation documented in the ISAE3000 assurance report.

A positive certification decision is issued if the assurance report contains an unqualified opinion. In case of a qualified opinion, a positive certification decision could be issued for a reduced scope limited to the part of the subject matter that is not affected by the qualification.

The positive certification decision is followed by the granting of a GDPR certificate.

Summarised information for the certification decisions made by GTAA(whether or not they resulted in the granting of a GDPR certificate) is published on the GTAA’s website.

 

Validity, monitoring and renewal of the GDPR-CARPA certificate

Initial validity of the GDPR-CARPA certificate

The initial GDPR certificate:

  • Is valid for a period that equals the period covered by the ISAE3000 assurance engagement (minimum 6 months, and maximum 1 year), provided that no significant changes to the certified activities occur in the processing activities during the period of validity of the certificate;
  • Is valid from the date starting on the first day following the end of the period under review (Example: if the reviewed period was 1 January 2020 to 31 December 2020, the GDPR certificate is valid from 1 January 2021 through 31 December 2021).

Monitoring of the GDPR-CARPA certificate

GTAA performs monitoring on the certified activities within the period of the initial certification.

For the avoidance of doubt, the monitoring is not surveillance as defined by the ISO standards. The monitoring is the annual re-performance of the assurance audit for the purposes of extending the validity with one more year within the overall three-year certification period.

A GDPR-CARPA certificate could be renewed for up to 3 years, subject to:

  • Yearly (at the ISAE3000 engagement anniversary) GTAA performs a new ISAE3000 assurance engagement with the same scope of processing activities covered by the initial GDPR certificate;
  • Each assurance audit ends up with a positive certification decision;
  • Should any of the subsequent assurance audits from the maximum 3-year period end up with a negative decision, the GDPR certificate could be suspended, reduced, terminated or withdrawn.

In practice:

Year 1: Evaluation of Year 0 and Certificication Year 1

Year 2: Evaluation of Year 1 and Certificication Year 2

Year 3: Evaluation of Year 2 and Certificication Year 3

 

Example: A GDPR certificate with a total validity of 3 years, period covered by the ISAE3000 assurance engagements is 12 months (starting 1 January)

 

Year 0

 

Year 1

Complete evaluation of year 0 (01 Jan Y0 through 31 Dec Y0)

In case of a positive decision – GDPR certificate issued for 1 year

(01 Jan Y1 through 31 Dec Y1)

Year 2

Complete evaluation of year 1 (01 Jan Y1 through 31 Dec Y1)

In case of a positive decision – GDPR certificate issued for year 2

(01 Jan Y2 through 31 Dec Y2)

Year 3

Complete evaluation of year 2 (01 Jan Y2 through 31 Dec Y2)

In case of a positive decision – GDPR certificate issued for year 3

(01 Jan Y3 through 31 Dec Y3)

 

During the evaluations of each subsequent year within the overall 3-year period, the GTAA:

  • Completes the acceptance procedures defined above, to ensure continuous independence and impartiality of the engagement team
  • Performs the evaluation
  • Performs an independent quality review
  • Issues an assurance report and a certification decision.

When a GDPR certificate is renewed after its initial validity period, a new certification ID provided by the CNPD will be issued.

 

Changes affecting the certification

Changes not related to the client

Changes not related to the client may affect the GDPR certification by introducing changes to the certification mechanism. Such changes could originate (among others) from:

  • Amendments to the data protection legislation
  • Decisions of the EDPB
  • Adoption of delegated acts of the European Commission in accordance with Article 43(8) and 43(9) from the GDPR (related to certification mechanisms)
  • Court decisions related to data protection, etc.

In the event of such changes, the CNPD publishes the changes to the certification mechanism and communicates to the certification bodies (GTAA included) the conditions under which those changes shall be implemented, as well as a transition phase (at the end of which the implementation needs to be finalised).

At the occurrence of such changes, GTAA:

  1. Makes appropriate communication to all clients with active GDPR certificates
  2. Takes such actions that may be required by the CNPD
  3. Elaborates together with the client a corresponding action plan to ensure future compliance with the updated certification mechanism by implementing appropriate changes to be implemented in due course
  4. Verifies the implementation of the changes by the certified clients
  5. Plans respective actions during the next planned audit.

The implementation of the changes is assessed by GTAA in the course of the next planned audit. If the client fails to implement any or appropriate changes, during the subsequent audit GTAA may temporarily suspend or withdraw (partially or entirely) the GDPR certificate or issue a certification decision with a reduced scope.

Changes initiated by the client

Changes affecting the GDPR certification may be result from changes that have occurred at the client’s organisation, e.g., new information related to the fulfillment of the certification requirements obtained by GTAA after the certification has been established.

The client has a contractual obligation to inform GTAA of any and all changes affecting the client’s certified processing activities, prior to the changes’ occurrence and if this is not possible - immediately after the changes’ occurrence.

Upon receiving a notification that certain changes have occurred at the client’s, GTAA may require further information. Such additional information may require completion of formatted questionnaires or self-assessment forms to facilitate monitoring, and assessment of the impact of the changes and the respective further actions to be taken.

For the avoidance of doubt, GTAA does not have an obligation to exercise a constant surveillance over the client’s processing activities and changes thereto.

Upon client’s notification for the occurrence of new changes that affect the certification, GTAA undertakes the actions specified in the previous section above.

 

Termination, reduction, suspension or withdrawal of the certification

Termination and actions in case of non-conformity

Upon substantiating non-conformities with the certification criteria during an active GDPR certification (either as a result of an audit, or otherwise), the certification could be terminated, reduced, suspended or withdrawn.

  • A GDPR certification could be terminated prior to the expiry of the certification’s validity upon the client’s request. No prior consultation with the CNPD is required.
  • When a non-conformity with the certification requirements is substantiated (be it as a result of monitoring or otherwise) GTAA decides upon the appropriate actions in consultation with the CNPD. Appropriate actions could be:
    • Continuation of the certification under conditions specified by GTAA
      • The non-conformity concerns all or some of the certified processing activities;
      • It is a minor non-conformity which does not affect the reasonable assurance provided on the ISAE 3000 report on the test of design and operating effectiveness Type 2 report; fixing the non-conformity is a process improvement;
      • Possible conditions determined by GTAA and approved by the CNPD could be increased monitoring;  
      • The conditions determined by GTAA are assigned a specific deadline for completion. If the client fails to comply with the conditions/improve within the defined deadline, GTAA adheres to one of the following actions.
    • Reduction in the scope of certification to remove the non-conforming processing activities
      • The non-conformity concerns only part of the certified processing activities;
      • The rest of the processing activities remain unaffected by the non-conformity and could continue to exist without connection to the defaulting processing activities;
      • The certification scope gets reduced to remove the non-conforming processing activities:
      • If a certificate has already been issued before, it is reissued with a new revision ‘ID’ for the same duration (i.e., ends on the same date as that initial certificate) but with a reduced scope.
    • Suspension of the certification pending remedial action by the client
      • The non-conformity concerns all certified processing activities, or the client as a whole;
      • The non-conformity is of temporary nature and has a potential to be corrected within a reasonable fixed term (which by all means does not extend beyond the validity of the certificate);
      • GTAA determines precise remedial actions to be actioned by the client and the certificate is suspended pending the remedial action;
      • The certificate may be suspended also in case of pending investigation by GTAA or the CNPD;
      • GTAA communicates to the client:
        • The actions needed to end suspension and restore the certification
        • Any other actions required by the certification mechanism, if any.
      • If the non-conformity that caused the suspension is remediated by the client within the prescribed period, or if the investigation cleared the client, the suspension is lifted, and the certification remains valid;
      • Client’s failure to action the remedial actions in the prescribed period, or the investigation allowed to reveal any non-conformities, results in reduction of the scope or withdrawal of certification.
    • Withdrawal of the certification
      • The non-conformity concerns all certified processing activities, or the client as a whole;
      • The client has failed to satisfy the conditions or the remedial actions specified by GTAA, or
      • The non-conformity is so grave that it is not worthy the above interim measures.

GTAA reperforms the above re-evaluations only if the client agrees to remunerate the additional efforts according to a new offer prepared by GTAA. Client’s refusal to pay for the additional evaluation, review and certification decision shall be treated as a refusal of monitoring and/or refusal to rectify the non-conformity. This will result in reducing the scope or withdrawal of the existing certification.

Procedure in case of termination, suspension, reduction or withdrawal

(*) GTAA informs the CNPD of its decisions in the context of a change in a client’s certification status or scope and provides all relevant documentation to the CNPD.

Reinstatement of GDPR certification

Reinstatement of the (full) certification is possible after:

  • Suspension, or
  • Reduction in scope.

GTAA makes the necessary modifications to the formal certification documents, public information and the authorisations to use marks, in order to ensure that all appropriate indications exist that:

  • The processing activities continue to be certified, or
  • The reduced scope of certification is clearly communicated to the client and clearly specified in the certification documentation (and the updated GDPR certificate) and public information.

 

Any questions with respect to this procedure should be addressed to: gdpr.carpa@lu.gt.com

Hugues Wangen
Partner, Audit & Assurance
Hugues Wangen