| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/26/512-2 |
| Registreeritud | 25.02.2026 |
| Sünkroonitud | 26.02.2026 |
| Liik | Väljaminev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2026 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Donamix OÜ |
| Saabumis/saatmisviis | Donamix OÜ |
| Vastutaja | Liina Kroonberg (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim) |
| Originaal | Ava uues aknas |
ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee
Registrikood 70004235
Ahmad Nasereddine
Donamix OÜ
Yours: 07.02.2026 Ours: 25.02.2026 nr 2.2-9/26/512-2
Answer to request The Estonian Data Protection Inspectorate (DPI) has received your request in which you ask
whether any GDPR certification bodies are accredited or recognized in Estonia. You also inquire
whether the DPI endorses any specific GDPR‑related standards or frameworks. Finally, you
request guidance on how an organization can obtain GDPR certification within the European
Union.
Thank you for your letter and for your commitment to complying with all applicable data
protection regulations, including the GDPR. We appreciate your interest in pursuing GDPR
certification as a way to strengthen user trust and demonstrate accountability.
In response to your questions, we would like to provide the following information:
1. Accredited or recognized GDPR certification bodies in Estonia
At present, there are no GDPR certification bodies accredited or recognized in Estonia. The
Estonian Data Protection Inspectorate (DPI) has not yet approved any national certification criteria
under Article 42 of the GDPR, and therefore no certification bodies can be accredited under Article
43.
2. GDPR‑related standards or frameworks endorsed by Estonian DPI
The DPI does not endorse any specific GDPR certification standards or frameworks. The
Inspectorate follows the guidance issued by the European Data Protection Board (EDPB) as well
as the applicable legislation.
3. Guidance on obtaining GDPR certification in Europe
To obtain GDPR certification, organizations must rely on a certification mechanism approved by
a supervisory authority in an EU Member State and listed by the EDPB. Certification must be
issued by a body accredited both by the national accreditation authority and the national data
protection authority. The certification process typically includes an assessment of the
organization’s data‑protection measures, governance practices, and compliance controls.
Certifications are generally valid for up to three years and are subject to ongoing monitoring.
2 (2)
The official list of all approved GDPR certification mechanisms is published by the European Data
Protection Board (EDPB). This list includes: the certification name, the approving supervisory
authority, the scope of certification, and the accredited certification bodies. It is the most reliable
source for identifying where certification is available.
Accordingly, organizations can obtain GDPR certification in Europe by selecting an approved
certification mechanism from the EDPB’s public register, choosing one that aligns with their
data‑processing activities, and contacting the accredited certification body in the relevant Member
State. The organization must then complete the required assessment and comply with ongoing
monitoring obligations. Certification is valid across the entire EU1.
If you have any further questions or require additional clarification, we would be happy to assist.
Respectfully
Liina Kroonberg
lawyer
authorized by Director General
1 GDPR article 42 p 7
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|