A certification according to DSGVO must at least
- the requirements of DIN EN ISO/IEC 17068 (programme type 6) and
- the minimum requirements of the Data Protection Conference (version 1.8 of 16.04.2021)
correspond to. Depending on the processing procedure, further specific requirements may be added. Only processing procedures can be certified, not organisations.
Who is eligible for certification?
In principle, certification creates certainty that at a given point in time processing is carried out in compliance with data protection law.
Certification enables companies to demonstrate that established processing procedures comply with the provisions of Articles 5, 6, 25, 28, 30, 32, 33, 34 and 35 and that the rights of the data subjects are safeguarded. Furthermore, the certification includes the verification that the data transfer to third countries is carried out in a legally compliant manner. In principle, all processing operations can be certified. This is particularly recommended if one or more processors and possibly their subcontractors are involved.
A preliminary audit brings security
It is advisable to arrange for an audit of the relevant processes before initiating a certification process in order to avoid unpleasant surprises in the certification process itself. In addition, the written audit report can be submitted to the certifying company as a supplement, thus shortening and simplifying the process.