Blog details

GDPR-CARPA certification mechanism adopted by CNPD

GDPR-CARPA certification mechanism adopted by CNPD

Luxembourg adopted the GDPR-CARPA verification mechanism  becoming the first country to introduce a certification mechanism under the GDPR.


The National Data Protection Commission of Luxembourg (CNPD) adopted its GDPR-CARPA (Certified Assurance-Report based Processing Activities) certification mechanism last month. This will be known as the first certification mechanism under the GDPR to be adopted on a national and international level. Companies and other organisations established in Luxembourg now have the opportunity to demonstrate that their data processing activities comply with the GDPR. This provides a high level of compliance to the regulation to controllers and processors for their data processing activities which are  covered by the certification. This GDPR certification mechanism does not certify an organisation but rather specific processing operations.


The certification in personal data protection Was developed with the help of professional auditors, and also reviewed by the EDPB.


The CNPD, as owner of this certification mechanism, will accredit the entities that will issue the GDPR certification. The accreditation criteria was developed by the CNPD, after numerous exchanges the CNPD has had with audit professionals since the GDPR came into effect in 2018. The accreditation is based on ISAE 3000 (audit), ISCQ1 (quality control of auditing organisations) and ISO 17065 (licensing of certification entities). The accreditation criteria highlights the work done by the certification entity and the professional auditors. After the CNPD released its first version of this certification mechanism, other European data protection authorities examined the criteria under the consistency mechanism and the EDPB then issued a formal opinion on GDPR-CARPA. In general, the CNPD has been a driving force behind the progress made by the EDPB in the field of certification. The authority has acted as rapporteur for the adopted guidance or as a help to the EDPB in issuing formal opinions on this novel subject.


The implementation of the GDPR-CARPA certification mechanism will help build trust in the processing of the personal data covered by this mechanism.


The implementation of a certification mechanism can help promote transparency and compliance to the GDPR. It can also help data subjects to feel assured in the degree of protection offered by products, services, processes or systems used or being offered by the organisations that process their personal data. A unique feature of the CNPD certification mechanism is that it is based on a ISAE 3000 Type 2 report, with the auditor being formally responsible for the implementation of the control mechanism. This offers a guarantee of a high level of confidence, which is key in having the relevant actors and data subjects to build trust in the processing of any personal data covered by this certification scheme.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
Data sharing for charities: guidance from CNIL
June 28, 2022
Next post
AI regulatory sandbox: pilot program launched
July 5, 2022

Leave a Comment