Controllers should formally submit their EU-wide certification criteria to:
- the competent data protection authority (DPA) in the EEA country where the scheme owners have their headquarters;
- the competent data protection authority (DPA) in the EEA country where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.