The national commission for data protection has become the first data protection authority in Europe to accredit a GDPR certification body.

On 12 October, the national commission for data protection in Luxembourg accredited an entity via its certification mechanism, GDPR-CARPA (General Data Protection Regulation-Certified Assurance Report-Based Processing Activities). This is the first mechanism to be adopted on a national and international level under the GDPR.

The European Data Protection Board’s Opinion states that certification mechanisms should enable controllers and processors to demonstrate compliance with the GDPR. The criteria should, therefore, properly reflect the requirements and principles concerning the protection of personal data as laid down in the GDPR and contribute to its consistent application.

The GDPR is a law that regulates how organizations target or collect data related to people in the European Union. Furthermore, it outlines how organizations must protect and handle data in a secure manner and details privacy rights which give individuals more control over their personal data.

With a GDPR certification, companies, public authorities, associations and other organizations can show that their data processing activities are complying with the GDPR. The implementation of the certification mechanism can promote transparency and compliance as it allows businesses and individuals to evaluate the level of protection offered by products, services, processes or systems used or offered by organizations that process personal data. Entities can, therefore, benefit from an independent certificate to demonstrate that their data processing activities comply with EU regulations. It will be interesting to see how this develops with other data protection authorities in the EU.

Does your organization have questions about accreditation? Contact us, the Experts in Data Privacy at for more information.



Luxembourg delivers first GDPR accreditation

Opinion 28/2022 on the European criteria of certification regarding their approval by the Board as European Data Protection Seal pursuant to Article 42.5 (GDPR)