GDPR: the European Data Protection Board adopts its first opinion on the GDPR-CARPA (Luxembourg)

On February 8, the European Data Protection Board (EDPB) adopted, for the first time since its establishment in 2018, a consistency opinion on the GDPR-CARPA certification scheme submitted to the Board by the Luxembourg Supervisory Authority (SA).

The GDPR-CARPA certification scheme is a general scheme, which does not focus on a specific sector or type of processing. It includes requirements on data protection governance in the organisation surrounding the processing activities. In its recommendations, the EDPB provided the Luxembourg Supervisory Authority (LUSA) suggestions on how to ensure that the certification scheme is compliant with GDPR.
In the next two weeks, the LUSA will communicate its response to the EDPB opinion, in which it will state whether it intends to amend its draft decision on the basis of the Board recommendations or refuse to follow the Board opinion by providing, in the latter case, relevant grounds for this decision.

The opinion of the EDPB on the GDPR CARPA is available here.

The CEPI Secretariat continues to closely monitor and keep members up to date on relevant development in this field.