GDPR certificate
A GDPR certificate is a written statement that a product, process or service meets all or certain specific requirements from the General Data Protection Regulation (GDPR). With a GDPR certificate, organisations can show their target group that they process and protect personal data with due care. A GDPR certificate is not mandatory. Applying for a GDPR certificate is currently not yet possible.
On this page
Applying for a GDPR certificate
Currently, there are no accredited certification bodies in the Netherlands for issuing GDPR certificates. These are bodies that have been accredited by the Dutch Accreditation Council (RvA). As soon as the RvA has accredited certification bodies, you will find this information on our website and in the register on the RvA website.
As a controller or processor, you can then apply to such certification body for a GDPR certificate. The certification body will then assess whether your product, process or service is eligible for a GDPR certificate
Note: The Dutch Data Protection Authority (Dutch DPA) does not issue GDPR certificates itself. If you wish to apply for a GDPR certificate, you need to contact a certification body.
Approval of Brand Compliance criteria
The Dutch DPA has approved the Brand Compliance criteria (Certification Standard and Criteria BC 5701:2023). However, requesting a GDPR certificate from Brand Compliance is not yet possible. For this, Brand Compliance must first be accredited by the RvA.
If you have any questions about the course of that procedure, please contact Brand Compliance. You may already be able to start preparing for a certification process. Brand Compliance can inform you about this.
Only official GDPR certificate is valid
To demonstrate your GDPR compliance, you can only use an official GDPR certificate. This is a certificate issued by an organisation accredited by the RvA. A certificate issued by a non-accredited organisation will not be considered a GDPR certificate.
Do you want to be sure that you are dealing with an accredited organisation that is allowed to issue GDPR certificates? Check the register on the RvA website.
Have you been approached by an organisation offering you a GDPR certificate?
You may be approached by organisations that offer you a GDPR certificate, but that are still in the process of being accredited. An example is if they are looking for (prospective) customers to demonstrate how their scheme works. This is part of the accreditation process.
Would you like to check whether an organisation you are approached by has an accreditation application pending with the RvA and the Dutch DPA? You can ask the organisation to demonstrate this by showing its correspondence with the Dutch DPA. Are you still having doubts? You can ask your DPO to contact the Dutch DPA to make inquiries.
Applying for accreditation as a certification body
Do you want to issue GDPR certificates as a certification body? You can submit an application for accreditation to the RvA. The Dutch DPA does not accredit certification bodies itself.
Drawing up a certification scheme for the application
Before making an application to the RvA, you have to draw up a certification scheme. As a certification body, you can draw up a scheme yourself. Or you can have this scheme drawn up and managed by an external scheme manager.
The certification scheme contains requirements that the certificate holder must meet. The scheme also contains additional requirements for you as a certification body. The Dutch DPA has established these additional requirements and coordinated them with the European Data Protection Board (EDPB).
ISO/IEC 17065 standard
The GDPR prescribes the use of the ISO/IEC 17065 standard for accreditation by the RvA. This is the standard for accreditation of certification bodies for products, processes and services. The standard is the basis of the certification scheme.
Assessing the scheme
If you apply to the RvA for accreditation, the RvA will evaluate your certification scheme. The Dutch DPA will then assess whether your certification scheme gives sufficient substance to the relevant requirements under the GDPR. Did the Dutch DPA approve the scheme? Then the accreditation process at the RvA can continue.
Note: It is possible that multiple certification schemes that lead to a GDPR certificate will be used in the market.
Steps for accreditation with the Dutch Accreditation Council (RvA) and the role of the Dutch DPA
The accreditation process of the RvA and the role of the Dutch DPA in the approval of certification schemes comprise a number of steps:
- evaluation by the RvA;
- assessment by the Dutch DPA;
- accreditation by the RvA.
Evaluation by the RvA
- The RvA assesses whether your application for accreditation can be admitted.
- The RvA conducts a preliminary investigation. This includes an evaluation of the certification scheme drawn up by you or an external scheme manager.
- The RvA concludes the preliminary investigation, subject to approval of the certification scheme by the Dutch DPA.
Assessment by the Dutch DPA
- After a positive conclusion of the evaluation by the RvA, the Dutch DPA assesses whether the certification scheme gives sufficient substance to the relevant requirements under the GDPR.
- As the certification body or scheme manager, you send the certification scheme to the Dutch DPA. The Dutch DPA will only process your application if the RvA has concluded the evaluation of the scheme with a positive result. And you can demonstrate this.
- The Dutch DPA coordinates the draft decision for approval of the certification scheme with the EDPB. This procedure with the EDPB is in English. This means that you will have to supply the documentation to the EDPB in English. This also applies if you draw up a scheme that is only used in the Netherlands. The further communication from the EDPB to you will also be in English. There is no free translation option through the Dutch DPA or the EDPB. That is why the Dutch DPA recommends that you arrange for a translation into English of all your documentation yourself.
- After the Dutch DPA has approved the certification scheme, you send this decision for approval to the RvA. The RvA will then continue the accreditation procedure.
Accreditation by the RvA
- The RvA will perform an accreditation assessment.
- The RvA will make an accreditation decision. After accreditation by the RvA, you are authorised to grant GDPR certificates for the relevant certification scheme.
- If the RvA has accredited you, the RvA will also assess you periodically.
For more information, see the Accreditation process on the RvA website.
Do you have any questions?
Do you have any questions about submitting a certification scheme to the Dutch DPA and having this assessed? Please contact the Dutch DPA by email.
Obtaining an approved certification scheme
Would you like to find out more about an approved certification scheme? Or would you like to know if you can obtain the certification scheme? Please contact the scheme owner. That is the party that developed the certification scheme.
Also view
Where can I find it?
Publications
- EDPB-guidelines on certification and identifying certification criteria
- EDPB-guidelines on the accreditation of certification bodies
- EDPB-guidelines on certification as a tool for transfers / (Nederlandse vertaling) Richtsnoeren voor certificering als doorgifte-instrument
- AP: Aanvullende accreditatie-eisen voor certificeringsorganen / (Engelse vertaling) Additional accreditation requirements for certification bodies