EDPS: Guidelines on the protection of personal data processed through web services provided by EU institutions (Nov 2016)

https://edps.europa.eu/sites/edp/files/publication/16-11-07_guidelines_web_services_en.pdf

incl. also interesting links to other EU papers (e.g. on cloud)
Sadly from Nov 2016, so with GDPR in mind, but not in force, yet.

Covered technologies include
 Cookies
 Scripts (such e.g. JavaScript code) and components (such as browsers plugins) to be executed on the client side.
 Web caching mechanisms
 HTML5 local storage
 “Device fingerprinting”
 “Canvas fingerprinting” and “Evercookies”
 Web beacons

GDPR certification criteria from Luxemburg

https://cnpd.public.lu/dam-assets/fr/actualites/national/2018/GDPR-CARPA-Criteria-v10.pdf

” This document was prepared by the Commission Nationale Pour la Protection des Données (‘CNPD’) in collaboration with representatives from the audit profession. It contains the criteria for the “GDPR-CARPA” certification mechanism. This document should be read in conjunction with the “GDPR-CARPA” certification mechanism document. These certification criteria are a mandatory requirement to evaluate and report on controls over organizational and technical data protection measures, to be eligible for certification. Evaluation and reporting needs to follow the ISAE 3000 standard. Certification can only be granted by certification bodies that have been accredited by CNPD. “

State of the art – Guidelines by ENISA and TeleTrusT

ENISA and TeleTrusT – IT Security Association Germany have published their guidelines in English.

“The document published on the “state of the art” in IT security provides concrete advice and recommendations for action. These guidelines are intended to provide companies, providers (manufacturers, service providers) alike with assistance in determining the “state of the art” within the meaning of the IT security legislation. The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures implemented. They are not a replacement for technical, organisational or legal advice or assessment in individual cases. “

https://www.enisa.europa.eu/news/enisa-news/what-is-state-of-the-art-in-it-security