How to define your target of evaluation for Europrivacy certification

Certification applies to processing operations and not to the business as a whole. Unlike other standards such as ISO, it is not used to certify a management system, but instead can be used to certify that a product, service or operation¹ is compliant with the GDPR.  This means one of the first steps in the certification journey is to identify the TOE. Please get in touch with our team below to learn how we can help with this key step.

Start with the right scope

A TOE defines the exact data processing activity that will be assessed. It sets clear boundaries for what is included and what is not. The scope cannot be too broad. A full organisation or management system is considered too large and unclear in the same manner that a platform with multiple use cases will also likely be too large.

Instead, certification should focus on specific activities. Common examples include:

• A customer-facing web portal.
• A recruitment or HR onboarding process.
• A payroll processing activity.
• A customer support ticketing process.
• A SaaS product module used to process customer data.

This approach allows organisations to prioritise areas with the greatest impact. Customer-facing processes are often a strong starting point, as they involve direct interaction with personal data either as a controller or a processor.

Define a clear and meaningful target

A TOE must be easy to understand. It should be clear to both regulators and data subjects what is being certified. A good TOE is specific enough to be assessable, but broad enough to represent a meaningful real-world processing activity.

Vague or misleading descriptions should be avoided. The name and scope should reflect the actual processing activity.

There is flexibility in how a TOE is defined. It can include one or more processing operations. However, these operations should be aligned. They should share a common purpose and similar data sources.

If the scope is too narrow, it may not represent the real processing activity. If it is too broad, it may become unclear or difficult to assess. Both cases can reduce trust in the certification.

Map the data flows

A strong TOE is supported by clear data flow mapping. Organisations must be able to describe how personal data moves through the process.

This includes identifying:

• Sources of personal data.
• Categories of data subjects.
• Types of personal data used.
• Processing purposes.
• Systems and infrastructure involved.
• Parties involved.

In practice, if the organisation cannot clearly explain the data flow, the TOE is probably not ready for certification assessment.

Consider organisational and geographic complexity

Some processing activities involve multiple legal entities or jurisdictions. In these cases, the TOE must reflect who controls the processing and where they are based.

This may lead to splitting the certification into separate segments. Each segment must have clear accountability and scope.

Clarity is key. Certification bodies need to assess each activity within the TOE. All supporting documentation must be complete and transparent. 

Document the target in detail

A formal description of the TOE is required before certification begins. This description should clearly set out:

• What processing operations are included.
• What systems and infrastructure are covered.
• What is excluded from the scope.
• How the TOE connects to other processes.

The description should also include key details such as data sources, processing locations and any use of third-party processors. 

This level of detail ensures that the certification is meaningful. It also helps avoid claims that could mislead users or customers.

Choose a clear name

The name of the TOE should reflect its scope. It should be simple and direct.

For example, a TOE might be named “public website” and described as covering all personal data processing carried out through that site, including contact forms and IP logs.

A clear name helps stakeholders understand what has been certified without needing technical detail.

Why this matters

Defining the TOE is not a technical step. It is a strategic one. It shapes the value of the certification and how it is understood by customers, regulators and partners. In our experience, the TOE definition workshop is often where organisations uncover hidden complexity, unclear accountability or gaps in documentation before the formal assessment begins.

A well-defined TOE allows organisations to:

• Focus on high-risk or high-impact processing that matters to the business and to key stakeholders.
• Accurately assess the effort required and the stakeholders involved to achieve certification.
• Enhance their story by having a clear and transparent TOE that can be shared with customers giving them the knowledge that the product/service they are using is compliant with the GDPR.
• Demonstrate accountability in a clear and targeted way.

In contrast, a poorly defined TOE can reduce the credibility of the certification and create confusion, and may also lead to a certificate being refused.

Final thought

Europrivacy certification is not about certifying everything. It is about certifying the right things in the right way.

A clear, focused and well-documented target of evaluation is the foundation of this approach. Organisations that get this right are better placed to show how they protect personal data and meet regulatory expectations.

Get in touch with our technology and digital consulting team today with the form below.

Complete the Europrivacy Certificate TOE form

¹Note multiple certificates may be required to certify a product, service or processing operation depending on the processing scope.