General Data Protection Regulation

In Consulting

Backed by fines of up to €20 million or 4% of global revenue, whichever is higher, the General Data Protection Regulation (GDPR) gives EU residents new, expanded rights over their personal data.

Avoid concerns about non-compliance and financial penalties – get EY to GDPR certify your company.

Demonstrate your GDPR compliance with the CARPA certification

Download our GDPR CARPA brochure

EY Luxembourg is accredited to certify the GDPR compliance of your company.


    What EY can do for you

    The General Data Protection Regulation (GDPR) is a global game changer. No organization storing or processing the personal data of EU residents can afford to be complacent, regardless of its location or current privacy maturity level.

    GDPR highlights:

    • Organizations will have only 72 hours to report data breaches
    • Privacy-by-design principles must be incorporated into the development of new processes and technologies
    • Explicit and affirmative consent might be required before processing personal data
    • Most organizations will need to designate an internal or external data protection officer
    • Organizations will have to maintain records of processing activities
    • Organizations will need to scale security measures based on privacy risks
    • International transfers are subject to specific requirements and mechanisms
    • Organizations will report to one supervisory authority
    • Organizations will need to have an effective data retention mechanism in place.

    When the steep financial penalties for non­­­­compliance and data losses are added to the cost of reputational damage, sanctions, remediation and the potential impact on digital transformation, the risk of inaction is clear.

    There is also the opportunity for your organization to take a strategic approach to GDPR.

    Our risk-based, multidisciplinary approach targets GDPR investment where it matters most for regulatory compliance and competitive advantage. Drawing on our extensive privacy knowledge and proven tools, methodologies, DPO as a service and GDPR certification for companies, we help to identify your highest risks and design and execute a tailored road map for compliance and beyond.

    EY Luxembourg GDPR-CARPA certificate: proving documents

    • Our journey towards GDPR-CARPA certification                                Download
    • EY's non-discriminatory policy                                                             Download
    • The procedure for Granting Maintaining                                             Download
    • The impartiality policy and a public statement on the impartiality  Download
    • Our policy on the use of GDPR-CARPA certificate                              Download
    • The procedure for appeal handling process                                         Download

    How EY can help

    GDPR CARPA Certification for companies

    We are proud to be the first company in the European Union to be able to deliver GDPR certifications for companies.

    Read more

    Tool-based data retention as a service

    We can help you identify personal data throughout local or cloud systems, and assist you in the automation of cleansing and anonymization of data according to your retention policies.

    Read more

    Data protection and privacy

    We can help your business detect and prevent data breaches resulting from internal user activity.

    Read more


    Changing legislative requirements, coupled with increasing customer expectations, pose a rising number of challenges for companies.

    Read more

    Contact us

    Like what you’ve seen? Get in touch to learn more.