Logo Inveo Certification

Select your language

Data Protection - GDPR certification scheme accredited in accordance with EN ISO/IEC 17065:2012.


The ISDP©10003 certification scheme, accredited by Accredia, arose from the need to assess compliance with the GDPR.

The scheme defines the general requirements and controls for demonstrating GDPR compliance under EU Regulation 2016/679 of the processing of personal data that the owner and manager performs as part of the products, processes, and services, implemented or otherwise provided.

Special attention is paid in the new 2020 version to the nature, context and risk of processing operations carried out, in Europe and also outside the European Union.

In fact, the same was developed as part of a broader compliance framework provided by the new European regulation on the processing of personal data, based on the principle of accountability and protection of fundamental rights.

The object of certification also invokes the detailed analysis of the treatments as key elements, data, processes and technical infrastructure that are being audited.

New features introduced by the 2020 version..

Among the new features introduced by the new version of the scheme is a greater definition of the scope, especially of the two scopes of application as defined by the GDPR and well clarified in EDPB Guidelines 1/2018:

a general scope in relation to the compliance of data controllers and processors under Article 42 (1) of EU Regulation 2016/679 as stated in footnote 1 of §1.2 Scope.

A specific scope, in relation to the compliance of products, processes, or services of the owners and managers as indicated in footnote 2,3,4 of §1.2 Scope

  • Introduction of 24 new controls determined by the review and/or approval of new guidelines crucial for assessing compliance, particularly with regard to the principles of transparency and fairness, risk management, and the exercise of data subject rights.
  • Definition of the interoperability principle in §70 EDPB Guidelines 1/2018 Table of interrelation between §49 EDPB Guidelines 1/2018 and Macroprocesses of the scheme
  • An important definition of how to conduct audits and definition of findings ("shall," "should," "may" according to ISO/IEC 17065:2012).
  • Better framing and definition of risk management particularly of Ra or acceptable risk and Ri or inherent risk
  • Insertion of Annex B or correlation table between requirements and controls of the scheme and articles and recitals of the GDPR.


The decision to make the ISDP©10003 scheme publicly available stems from the desire of the Scheme Owner and the INVEO CERTIFICATION Body to:

  • Spreading the culture of personal data protection
  • Providing guidelines for comprehensive adaptation of the Data Controller and Data Processor
  • Create the prerequisites for certification in accordance with European Regulation 679/2016

Its dissemination is intended, especially for consultants, data protection officers (DPOs), lawyers, professionals, and in general all those involved in personal data processing, to promote study and research.



The ISDP©10003 certified organization.

  • Operates according to standard, assessing compliance of processing with GDPR
  • Demonstrates Accountability
  • Demonstrates to the Supervisory Authorities that it has voluntarily performed an act of due diligence
  • Possesses safe, documented and standardized procedures
  • Provides confidence to stakeholders



Whatever the industry and regardless of the type of treatment carried out.

Inveo Certification has also made the scheme available to all those Certification Bodies (CaBs) who wish to proceed with voluntary accreditation in the area of process certification for the protection of individuals with regard to the processing of personal data and the free movement of such data.

Since any supplementary criteria under Articles 42 and 43 of Reg. 679/2016 have not yet been established, when these are issued by the committee or the national competent authority under Articles 55 and 56, the ISDP10003:2020 scheme will be promptly adjusted.


The owner and/or responsible person who obtains ISDP©10003 certification, with respect to all processes to which it is applicable, provides assurance toward interested parties of the voluntary adoption of a system of analysis and control of the principles and reference standards for the protection of natural persons with regard to the processing of personal data and the free movement thereof.

Certifications are an assurance and act of diligence to stakeholders of the voluntary adoption of a system of analysis and control of relevant principles and standards.

Joint Guarantor-Accredia Press Release

Member States, supervisory authorities, the Committee and the Commission shall encourage, particularly at the Union level, the establishment of data protection certification mechanisms as well as data protection seals and marks for the purpose of demonstrating compliance with this Regulation of processing operations carried out by data controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.