This is how we test and evaluate

With the ePrivacyseal, we confirm to the applicant that his product or service in the form in which it is submitted to us for assessment complies with the requirements of our criteria catalog. You can download the criteria catalog here.

The catalog of criteria is based on the current version of the GDPR (General Data Protection Regulation). With this regulation, the European Union has standardized the rules for the processing of personal data by most data processors, both private and public, throughout Europe. On the one hand, this is intended to ensure the protection of personal data within the European Union and, on the other hand, to guarantee the free movement of data within the European internal market. The regulation replaces the 1995 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data on the free movement of such data.

What do we choose our auditors for?

Our internal and external auditors, technicians and lawyers, examine the respective products or services neutrally, objectively and competently. We work with technical experts who have many years of experience in the field of the data processing operations they are evaluating. The same applies to our lawyers, who have specialized in the field of data protection law for many years. In order to work for us in an expert opinion, a technician or lawyer must have been evaluated by our company and accredited by us. In this way we ensure that the experts have sufficient expertise for the data processing operations they are to examine.

What do we check?

Within the scope of the evaluation, the technical and legal experts examine in particular the data processing processes underlying the products or services.

They check, as far as technically possible, whether personal data is collected and processed and whether this is done in particular on the basis of a comprehensible legal basis.

In the course of the technical evaluation, the data processing procedures are traced and checked to see whether they correspond to the applicant's specifications on the one hand and to the requirements of our criteria catalog on the other.

In the legal assessment, the data processing operations are examined to determine whether they are lawful and, in particular, whether the legal principles governing the processing of personal data are complied with.

This is because personal data must be processed in a lawful manner, in good faith and in a way that is comprehensible to the person concerned, in accordance with the legal requirements. They must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes. Furthermore, the processing of personal data must be proportionate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization"). The processed data must be accurate and, where necessary, kept up to date. Appropriate measures must also be taken to ensure that personal data which are inaccurate in relation to the purposes of their processing are erased and rectified without delay ("principle of accuracy"). Personal data must also be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed. Finally, personal data must be processed in such a way as to ensure an adequate level of security of personal data, including protection against unauthorized or lawful processing and against accidental loss, destruction or accidental damage, by appropriate technical and organizational measures.

In order to verify these questions, all legal documents to be submitted by the applicant will be checked for their compliance with our criteria catalog. This concerns in particular the respective data protection declarations, declarations of consent, contracts, insofar as they concern personal data, etc.

If contract processors are involved, the contract processing contracts on which the assignment is based or, if there is a case of joint responsibility, the respective joint responsibility contracts are also reviewed.

Our customers have no influence on the test criteria or the methodology used by our experts to test and evaluate. Our experts test and evaluate the products exclusively on the basis of our published criteria catalog, which is available here. The criteria we check, for example, include in particular

  • the principles governing the processing of personal data
  • the lawfulness of the processing
  • the conditions for a possible consent
  • the conditions for the consent of a child
  • the processing of special categories of personal data
  • the requirements for transparent information and information duties when collecting personal data
  • the guarantee of the data subjects' rights of access
  • the guarantee of the right of rectification of the data subject
  • the guarantee of the right of cancellation and the right to "be forgotten"
  • the guarantee of the right to limit processing
  • guaranteeing the right to data transferability
  • the guarantee of the legally entitled right to object
  • the requirements for automated decisions including profiling
  • the requirements for cooperation with contract processors and jointly responsible persons
  • the adequacy of technical and organizational measures
  • the existence of any privacy impact assessments
  • the existence of a data protection officer
  • the existence of any certifications

Do we really test every product and service ourselves?

Even our reviewers are sometimes unable to actually test each product and service themselves due to the globalization of international data streams. The data streams that exist due to globalization are now too complex and too nested for this. If our experts are therefore unable to test individual data processing steps on their own, they base their evaluation on the analysis of the information and documents supplied by the applicant.

In doing so, our auditors take into account existing expert opinions, expert assessments, reports from test institutions, any certificates received and existing publications in the relevant literature, as far as they are available to them. According to the licensing terms for the award of the ePrivacyseal, the applicant is obliged to provide truthful information on the data processing operations in question and not to make any misleading statements. Should this happen, our company has the right to withdraw the respective seal.

Nevertheless, we cannot exclude the possibility that, despite these precautions, the experts we have engaged may be deceived by the respective applicant and thus arrive at an incorrect assessment of the respective facts. However, we are of the opinion that our precautionary measures have reduced the associated risk to an acceptable level. Without taking this residual risk, it would not be possible to award comparable data protection seals of approval.

In addition, we believe that it is also helpful for the consumers addressed to verify the legality of the data processing operations we review by means of a privacy seal of approval. We believe that the advantage associated with the award of such a privacy seal is greater than the disadvantage of the theoretical risk that an applicant may obtain a privacy seal in a particular case by feigning false facts. Nevertheless, we would not like to omit to mention this problem.

Get in contact with us.

Would you like to send us suggestions or criticism, have you discovered an error or have a question about the respective products on our website? We look forward to your feedback and answer your questions. Please write to us at

Do you have questions or recommendations for us?

We are glad to receive your comments.