Objectively demonstrate data protection compliance – with a certification according to Trusted Site Privacy
With Trusted Site Privacy (TSP), TÜVIT takes a holistic approach. Within the framework of this widely respected certificate IT systems are tested under legal and technical aspects regarding responsible handling of personal data of customers.
The testing by our experts is based on the evaluation criteria for quality in company data protection, which were developed during a two-year EU research project involving over 80 top experts from various industries.
Trusted Site Privacy: Holistic testing in 4 steps
Even the testing procedure preceding the TSP certification follows a holistic approach. The award of a TSP certificate is based on three comprehensive evaluations: first a (legal and technical) assessment of data protection compliance and then a security inspection.
The testing comprises several steps:
Within the scope of an actual situation analysis experienced experts evaluate the current condition of your product. This is done in a preliminary discussion in which the current situation is extensively assessed on the basis of proven criteria. Usually, this certification step comprises a workshop. Here, prior to the actual audit, you are informed about the fundamentals of our work and the underlying legislation.
Furthermore, in the actual situation analysis the exact scope of the subsequent auditing process and ultimately also the certification is specified in close coordination with you. Precision is crucial here and will therefore be consistently emphasized by our experts.
Our experts thoroughly review the documentation submitted by you. They assess whether the measures specified by you sufficiently comply with the substantive legal requirements for data protection and whether the submitted documents sufficiently demonstrate these measures so that in a worst-case scenario they will stand up to a verification by a supervisory authority.
We visit your premises to ensure by on-site inspection, assessment and interrogation regarding your systems that the required measures and actions prescribed by you are being consistently implemented throughout the company. In addition, we perform a security inspection (SI) to test whether the systems used by you are able to ensure the intended level of customer data protection also from a technical point of view. For this purpose we technically assess, for example, the components in use or perform extensive penetration tests, with which we discover any vulnerabilities of the system’s infrastructure.
The inspection is concluded by the generation of a comprehensive audit report which comprises the results of the evaluation of both the documents and the audit. This report evidences compliance with the requirements and serves as the basis for the issuance of the certificate by the certification body.
Evaluation criteria within the scope of a certification according to Trusted Site Privacy
The evaluation of data protection compliance is carried out by legal and technical experts from the TÜVIT Data Protection Office. This is based on the analysis of the documents and the results of the on-site implementation check.
- Authorization basis for data processing
- Legality of individual phases of data processing
- Compliance with data protection principles
- Rules for order processing
- Compliance with the rights of the data subjects
- Notification, information and disclosure obligations
- Transparency of the data protection policy
- Transparency of the data protection documentation
- Support for the data subjects in exercising their rights
- Technical security and specific organizational requirements for the test object
- Data protection policy and working instructions
- Risk analysis
- Regular checks to improve the data protection measures, continuous improvement process
- Qualification of the employees
- Operating conditions of the Data Protection Officer
- Documentation of the data protection measures
- Data protection aspects must be considered already when developing a system
- Its design must be based on the premise that only absolutely necessary data will be collected
- Where a system offers default settings, the more privacy-friendly settings shall be used
- Any extended access to personal data must require release by explicit opt-in
The security inspection includes a.o.:
- Testing of the components used as well as of the network and transport security
- Testing of the configuration options
- Testing of the tools used
- Performance of penetration tests
The certification process at a glance
FAQ regarding data protection certification for Trusted Site Privacy
What are the benefits of TSP when compared to other seals concerning privacy?
TSP works with criteria developed by scientific and business experts of governmental and private data protection organizations within an EU research project. The tests and the awards of the certificates are performed directly by TÜVIT so that each project is completely managed by a company of the renowned TÜV NORD Group. Especially in Germany the acronym TÜV (comparable to UL in the US) stands for highest demands and for most thorough examination with a view to the security of products and services of all kinds.
What is tested within the scope of TSP?
For the TSP certificate to be awarded a test object is first examined regarding the lawful processing of personal data and its sufficient security level provided by adequate safeguards. In addition, these technical and organizational measures for safeguarding the processed data are tested in the framework of a security-related investigation (SI) and subjected to a stress test which by performing a targeted search for vulnerabilities simulates potential attack tactics of an unidentified attacker.
What is the basis for TSP certification?
The criteria for the TSP certificate were partly developed as a result of a two-year EU research project involving over 80 experts from various backgrounds (business, science, governmental and private data protection organizations). The task to perform certification based on those criteria was entrusted to TÜVIT as the sole provider.
You have questions? We are pleased to help!
Further services
EU General Data Protection Regulation
