European board requires 26 changes to German data privacy certification
EDPB demands extensive modifications to TÜV NORD certification criteria before approval under GDPR frameworks.
The European Data Protection Board delivered comprehensive feedback on German data privacy certification criteria, requiring substantial modifications before approving the Trusted Site Data Privacy scheme proposed by TÜV NORD CERT GmbH. According to the opinion adopted on July 8, 2025, the certification mechanism must address 26 specific recommendations across six critical areas of data protection compliance.
The North Rhine-Westphalia Supervisory Authority submitted the draft certification criteria to the EDPB on April 28, 2025, seeking approval for a national scheme designed to help organizations demonstrate GDPR compliance. The board's assessment, completed following the June 17 completeness decision, identified numerous inconsistencies that could undermine effective data protection evaluation.
Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Summary
Who: The European Data Protection Board assessed certification criteria submitted by TÜV NORD CERT GmbH through the German North Rhine-Westphalia Supervisory Authority.
What: The EDPB requires 26 specific modifications to the Trusted Site Data Privacy certification criteria before approval, covering general remarks, scope definition, lawfulness requirements, data subject rights, and technical measures.
When: The opinion was adopted on July 8, 2025, following the April 28 submission and June 17 completeness decision.
Where: The certification scheme targets German organizations but requires European Data Protection Board approval due to GDPR consistency requirements across the European Economic Area.
Why: The assessment ensures consistent GDPR application through certification mechanisms while identifying critical deficiencies in technical accuracy, legal alignment, and auditability that could undermine effective data protection compliance evaluation.
Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Technical deficiencies threaten certification reliability
The EDPB found significant technical problems throughout the certification criteria. Several criteria contain outdated cross-references to deleted items, such as DP06.15 referencing the non-existent DP06.18. These broken references could prevent accurate evaluation of compliance requirements. The board noted that consistent auditability appears compromised when criteria use undefined terms like "sufficient" without precise meaning.
According to the EDPB assessment, criterion DP01.01 requires processors to document information processing systems "to a sufficient extent" and maintain them "sufficiently up to date." However, the term "sufficient" lacks definition across multiple criteria including DP02.01 and DP02.04. This ambiguity creates inconsistent interpretation risks during certification audits.
The certification mechanism also fails to properly address sub-processor relationships. While the criteria allow certified processors to engage sub-processors, the scheme does not clarify whether sub-processors can obtain independent certification. The board emphasized that only processing operations performed by the initial certified processor receive coverage, not activities conducted by subsequent sub-processors.
Legal basis alignment requires substantial revision
The EDPB identified critical discrepancies between the certification criteria and GDPR legal requirements. Criterion DP03.01 states that controllers must provide for "Lawful Processing of PD only in accordance with one or more of the following conditions," which does not accurately reflect Article 6(1) GDPR's requirement that "Processing shall be lawful only if and to the extent that at least one of the following applies."
Data subject rights implementation also needs significant improvement. The board found that criterion DP06.05 fails to elaborate on the specific timing requirements under Article 14(3) GDPR for providing information to data subjects. Additionally, criterion DP06.06 contains an incorrect reference to Article 14(3) when it should cite Article 14(4).
The certification criteria inadequately address consent management requirements under Articles 7 and 8 GDPR. According to the EDPB, the scheme uses inconsistent language that could confuse the nature of legal obligations embedded in these provisions. For instance, criteria DP04.02 and DP04.03 use descriptive language rather than reflecting the mandatory nature of consent requirements.
Principles framework needs comprehensive overhaul
The board determined that Article 5 GDPR principles receive inconsistent treatment throughout the certification criteria. While the scheme addresses processing in a "fair and transparent manner," it fails to assess fairness as a distinct element independently under Article 5(1)(a). The EDPB recommended developing specific, precise, and auditable criteria based on elements listed in the board's Guidelines 4/2019 on Data Protection by Design and by Default.
Information obligations under Articles 13 and 14 GDPR lack clarity regarding timing and delivery methods. The criteria reference different timeframes without clearly specifying when and how controllers must provide required information to data subjects. This creates potential compliance gaps during certification evaluations.
Data minimization principles, while mentioned in criterion DP02.06, remain too general for effective auditing. The EDPB noted that important aspects like pseudonymization and anonymization appear auditable, but other elements lack sufficient specificity for consistent evaluation across different certification assessments.
Marketing implications for compliance frameworks
The EDPB opinion highlights broader trends affecting digital marketing compliance strategies. Organizations implementing certification schemes must now demonstrate more rigorous adherence to data protection principles, particularly regarding consent management and data subject rights. The requirements for clearer documentation of lawful processing bases directly impact how marketing teams justify data collection and processing activities.
The certification mechanism's emphasis on technical and organizational measures aligns with increasing regulatory focus on demonstrable compliance rather than theoretical frameworks. Marketing professionals must prepare for more detailed auditing of data handling practices, particularly in automated decision-making and profiling activities that form the backbone of modern digital advertising.
According to PPC Land's previous coverage of European data protection developments, certification mechanisms represent voluntary accountability tools that can enhance transparency and foster privacy rights. However, the EDPB clearly states that certification adherence does not reduce controller or processor responsibility for GDPR compliance or prevent supervisory authorities from exercising their enforcement powers.
Implementation timeline and next steps
The German supervisory authority has two weeks from receiving the EDPB opinion to communicate its response regarding amendments to the draft decision. The authority must indicate whether it will modify the certification criteria according to the board's recommendations or provide grounds for maintaining its original proposal.
If substantial changes occur during the amendment process, the German authority must resubmit the modified certification criteria to the EDPB under Articles 42(5) and 43(2)(b) GDPR. Upon final approval, the authority must publish the certification criteria in an easily accessible format and transmit them to the board for inclusion in the public register of certification mechanisms.
The certification scheme's general scope covers processing operations by both controllers and processors, excluding joint controllers under Article 26 GDPR. Organizations without European Economic Area establishments cannot obtain certification under this mechanism. The scheme explicitly does not provide appropriate safeguards for international data transfers under Article 46(2)(f) GDPR.
Technical security requirements under scrutiny
The EDPB expressed concerns about penetration testing and vulnerability assessment requirements within the certification criteria. While criterion DP08.01 mandates documented penetration testing complemented by vulnerability scans and configuration analyses, the board found unclear linearity in the mitigation procedure.
The scheme references BSI standard risk categories but introduces terminology like "high protection requirement" without clear alignment to established risk level nomenclature. This inconsistency could create implementation difficulties during certification evaluations. The board emphasized the need for consistent risk categorization terminology across all criteria to avoid ambiguity.
Technical and organizational measures must align with international standards like ISO/IEC 27001 and BSI IT-Grundschutz while maintaining specific GDPR compliance requirements. The certification criteria must clearly specify how penetration test results integrate with broader risk management plans and vulnerability remediation procedures.
Timeline
- July 8, 2025: European Data Protection Board adopts Opinion 16/2025 regarding German certification criteria
- June 17, 2025: EDPB decides certification file is complete
- April 28, 2025: German North Rhine-Westphalia Supervisory Authority submits draft certification criteria to EDPB
- December 2024: EDPB unveils strategic framework for cross-regulatory cooperation including certification mechanisms
- July 2024: EDPB recommends Data Protection Authorities as AI market surveillance authorities
- February 2024: EDPB launches free website auditing tool to boost GDPR compliance