For the Digital Trust Label criteria along the four dimensions shown below have been identified that make up a high-quality digital service:
Within these dimensions, we have defined 35 criteria. A service that meets the relevant criteria across all four dimensions is considered to be a trustworthy digital service. Following a successful audit, an organization can carry the Digital Trust Label to signal to the end-consumer their commitment to – and good practices around – digital security and data handling.
Can I count on a certain standard of security? The service provider shall ensure that your data is encrypted as it transfers so that third parties cannot view it. Read on to understand more about Security criteria.
- Does the service provider make sure that user names and passwords don’t appear in the source code?
- Is the software securely updated and the requirements verified?
- Is the service provider able to quickly identify and resolve weak spots in security?
- Are instructions on how to install, configure and update the service easy to find and follow, including after changes?
- Does the service provider use all recommended security measures to check the authenticity of a software update?
- Does the service provider use all recommended security measures to protect communications with other related services?
- Does the service provider protect passwords and identifying information from being changed or revealed?
- Is security information such as a user name or password securely generated, used, stored, archived and deleted?
How is your data protected? The service provider shall assume responsibility for the appropriate management of your data. Read on to understand more about Data Protection criteria.
- Is the user clearly informed of the purpose and legal basis of processing?
- Is the storage period of personal data defined and, if indefinite, explained?
- In the case of indefinite storage periods, are regular reviews conducted and reported to the user within 30 days?
- Is the user asked to provide explicit consent for each purpose and legal basis, and can this consent be withdrawn easily at any time?
- Does the provider explain upon request how personal data is made and kept anonymous?
- Does the provider delete or return personal data at the end of the retention period?
- Can the user request access their personal data, including a list of third parties privy to such data?
How reliable is the service delivery? The service provider shall take all actions required to safeguard continuity of the service. Read on to understand more about Reliability criteria.
- Is the software version of the service easy to access and understand?
- Does the service provider clearly explain the support period and need for support?
- Does the service provider implement and regularly review disaster recovery, business continuity, data backup and restoration policies?
- Does the service provider explain functionalities clearly and in detail, and operate in accordance with the descriptions provided?
- Where relevant, are billing and payment systems secure, accurate and efficient?
- Where relevant, does the delivery system meet current best practice for that specific area of activity?
- Can the user easily access, understand and print the service and service provider identification?
- Does the service provider document compliance with all applicable laws and regulations?
- Has the service provider designated a contact representative for legal information about the service?
- Does the service provider ensure inquiries and disputes are dealt with in a timely manner?
Fair User Interaction
Is an automated decision-making mechanism involved? The service provider shall ensure that all users receive equal treatment and that there is no data-based service or price discrimination. Read on to understand more about Fair User Interaction criteria.
- Is the service accessible by all potential users without discrimination?
- Are service interfaces designed so as not to deceive or clearly manipulate users?
- If mildly manipulative techniques are used, is this clear to the user and are the techniques proportionate to the objectives of the service?
- Does the service provider agree not to design services exclusively to cause user addiction?
- Is clear information about potential addiction risks provided during setup?
- If the service is inappropriate for under-18s, does the service take reasonable steps to verify age before allowing access?
- Does the user understand when AI-based algorithms – especially decision-making algorithms – are used?
- Does the service provider indicate which user-related data is processed by artificial intelligence, and why?
- Does the service provider explain any risks associated with the algorithms clearly and concisely?
- Could the service provider assess the robustness, resilience, accuracy and risks associated with the use of algorithms?
- Can the user request a review and validation of outputs produced by algorithms?
We want to empower users everywhere to feel safe and secure when they use digital services (please also see our clarification here).
Whenever you see the Digital Trust Label, you can expect:
More transparency and information
Transparent information tells you how a digital service is, for example, handling your user information. You’ll also be informed whether the digital service relies on an automated decision-making mechanism, enabling you to better understand the potential impacts of that digital service.
You will receive relevant information about technology and digital services in plain English, free of technical jargon and corporate speak. The intuitive, streamlined layout makes it easy to access relevant information at a glance.
The Digital Trust Label empowers you with the knowledge and confidence to make informed choices about the digital services you want to use. It means you’re in control of assessing the trustworthiness of digital services you use.
Please find additional resources about the Digital Trust Label in our library below: