GDPR Compliance under eIDAS

Qualified Trust Service Providers (QTSPs), such as Vidua¹, are under continuous supervision by the Dutch Inspectorate for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur, RDI) and are audited annually by an external auditor to verify their compliance with a broad set of laws and regulations, including the GDPR. During these audits, it is determined whether Vidua meets the requirements of the GDPR, and a solid justification is required. This memo provides further clarification of that process, including several examples.

---

Vidua is a QTSP and meets the eIDAS requirements

Cleverbase, operating under the name Vidua, acts as a QTSP as described in the eIDAS Regulation². This regulation was established to facilitate secure and cross-border electronic transactions within the Member States of the European Union. An important role in the eIDAS Regulation is assigned to Qualified Trust Service Providers (QTSPs) that deliver services meeting the highest level of trust, such as issuing qualified certificates for qualified electronic signatures. Vidua is currently certified as a QTSP.

The reliability of qualified trust services is ensured in part because QTSPs must comply with a broad set of laws and regulations, including the GDPR. QTSPs demonstrate their compliance with these laws and regulations via an annual assessment carried out by an external conformity assessment body designated by the Dutch Accreditation Council (Raad voor Accreditatie). The report produced by this external, independent auditor is then evaluated by the Dutch Inspectorate for Digital Infrastructure (RDI) — the supervisory authority for QTSPs based in the Netherlands, pursuant to Article 20 of eIDAS.

Once approved by the RDI, the QTSP is listed on the Trust List of the Netherlands. This listing enables relying parties to verify that the trust services have been delivered by a certified provider.

---

eIDAS explicitly requires GDPR compliance

The broad set of laws and regulations that QTSPs must comply with includes stringent requirements regarding the protection of personal data. To that end, eIDAS explicitly mandates compliance with the GDPR (Article 20(2) and Article 20(3)(ter)³). In the recitals of Regulation 2024/1183, the following text is included:

A qualified trust service provider that provides qualified trust services shall notify the supervisory body, the identifiable affected persons, and any other relevant competent bodies if applicable and, at the request of the supervisory body, the public if this is in the public interest, without undue delay and in any event within 24 hours of the incident, of security breaches or service disruptions in the provision of the service or in the implementation of the measures referred to in point (f bis)(i), (ii), or (iii) which have a significant impact on the provided trust service or on the personal data kept therein.

---

Supervision and mandatory notification of security breaches/data leaks

The eIDAS Regulation contains a mandatory notification requirement to report any security breach or data leak immediately, and no later than within 24 hours, to the relevant supervisory authorities.

Article 24(2)(f)(ter) sets out the requirement for notifying supervisory authorities:

A qualified trust service provider that provides qualified trust services shall notify the supervisory body, the identifiable affected persons, and any other relevant competent bodies if applicable and, at the request of the supervisory body, the public if this is in the public interest, without undue delay and in any event within 24 hours of the incident, of security breaches or service disruptions in the provision of the service or in the implementation of the measures referred to in point (f bis)(i), (ii), or (iii) which have a significant impact on the provided trust service or on the personal data kept therein.

To comply with these requirements, a standardized process has been established in which the Dutch supervisory authority for QTSPs (the Dutch Inspectorate for Digital Infrastructure) can promptly forward any reports to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the National Cyber Security Center if necessary. The rights and obligations of the Dutch Inspectorate for Digital Infrastructure are also laid down in law under Article 20 of the eIDAS Regulation. Specifically, it stipulates that the supervisory authority must conduct both ex ante and ex post investigations to ensure that QTSPs under its responsibility comply with privacy requirements. Lastly, the European supervisory authorities are also obligated to inform each other of any such incidents.

---

Annual ETSI audits

To demonstrate compliance with eIDAS — and thus maintain QTSP status — entities must be assessed against ETSI standards. The general policy requirements for Trust Service Providers are laid down in ETSI EN 319 401. Vidua is certified against version 2.3.1⁴ of this standard, which contains the following requirement:

Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. TSPs operating in Europe are required to ensure that personal data is processed in accordance with Directive 95/46/EC until 25 May 2018, and from 25 May 2018 in accordance with Regulation (EU) 2016/679 that repeals the Directive 95/46/EC. In this respect, authentication for a service online concerns processing of only those identification data which are adequate, relevant and not excessive to grant access to that service online.

Vidua’s most recent ETSI certifications can be found at our qualifications. ETSI EN 319 401 is within the scope of ETSI EN 319 411-1 and ETSI EN 319 411-2.