Long criticised for not adopting any financial sanctions, the National Commission for Data Protection (CNPD) is taking a step forward. In a press release, the data protection watchdog announced that it has introduced a certification system--a first in Europe for a regulator--which will enable all operators, associations, institutions and companies to prove that they comply with GDPR and that they have put in place all the necessary measures.

“The numerous exchanges the CNPD has had with audit professionals since GDPR came into effect in 2018 has helped to determine the value of, as well as the type of GDPR certification that could be useful in the Luxembourgish ecosystem,” the CNPD said about the new GDPR-Carpa certification.

“In concertation with these actors, the CNPD developed a first version of its certification mechanism. Thereafter, the other European data protection authorities have examined these criteria under the consistency mechanism and the European Data Protection Board (EDPB),” the CNPD said in a statement.

In Luxembourg, the CNPD also has the role of accrediting GDPR certification bodies. The criteria for accrediting certification bodies are based on the ISAE 3000 standard (auditing), ISCQ1 (quality control of auditing bodies) and the ISO 17065 standard (accreditation of certification bodies).

The uniqueness of the CNPD certification scheme, it says, is that it is based on an ISAE 3000 Type 2 report that provides an opinion on the proper implementation of the control system over time, while at the same time engaging the formal responsibility of the auditor.

This story was first published in French on . It has been translated and edited for Delano.