News
Certification and GDPR: Italy’s DPA Clarifications
The GDPR encourages (through the Member States, the supervisory authorities, the Board and the Commission) the adoption of data protection certification mechanisms and data protection seals and markings for the purpose of demonstrating compliance with the Regulation of processing operations by controllers and processors (see Article 42, paragraph 1).
According to Article 23, paragraph 2, the adoption of such certification – which is not mandatory –does not reduce the responsibility of the controller or the processor for compliance with the Regulation and is without prejudice to the supervisory authorities’ obligations and powers.
Notwithstanding such clarification, it should be noted, however, that undergoing a certification process may lead to certain advantages. For example, according to Article 83, paragraph 2, when deciding whether or not to impose an administrative fine and deciding on the amount of an eventual administrative fine, the relevant DPA will take into consideration several circumstances including, the adherence to approved certification mechanisms pursuant to Article 42. Additionally, a certification process can also significantly support the controller and/or the processor in complying with the new paradigm created by the GDPR (i.e., the accountability of those subjects involved in the processing chain; having particular emphasis on the impact assessment and privacy by design/default principles). Additionally, certification will enable controllers and processors to gain a competitive advantage by distinguishing those organizations that meet the requirements of the law and provide trustworthy management of personal data from those that do not.
The entities empowered to grant such certification include the supervisory authority (for Italy the “Garante per la protezione dei dati personali”, hereinafter “Garante”) and the certification bodies.
The certification bodies, according to Article 43, paragraph 1, are accredited by the supervisory authority (the Garante) and/or by the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (for Italy ACCREDIA) in accordance with EN-ISO/IEC 17065/2012 and in accordance with additional requirements established by the supervisory authority pursuant to Articles 55 or 56. The identification of the accreditation body is made individually by each Member State.
The Garante, with its communication dated 18 July 2017, stated that the Italian legislator has not yet identified an entity authorized to cover the role of accreditation body for the purposes of the Regulation.
Therefore, it should be noted that the possible concentration of several roles in the supervisory authority (accreditation and certification body, on the one hand, regulatory, surveilling and sanctioning authority, on the other hand) could lead to certain criticalities because a strict division of power and authority is a fundamental guaranty of impartiality and democracy.
Furthermore, the Garante also noted that the “additional requirements” (as per Article 43, paragraph 1, letter b) or the “certification criteria” (as per Article 42, paragraph 5) have not been defined and that, to this end, the Garante is currently cooperating with other EU authorities in order to identify, by the end of 2017, a common framework of criteria for the accreditation of the certification bodies and the certification of the data processing in compliance with the Regulation.
Given this framework, it is worth highlighting that the Garante’s position, which specified that the certifications currently offered on the market cannot be considered as being in compliance with Articles 42 and 43 of the Regulation taking into account that the “additional requirements” and the “certification criteria” have not been set forth and approved thus far. However, the Garante also noted that such unofficial certifications will be considered as acts of diligence by the interested parties for the voluntary adoption of an analysis system and check of the applicable principles, laws and regulations.
For example, the certification ISO/IEC 27552 – Enhancement to ISO/IEC 27001 for privacy management - has been considered a best practice by some national DPAs. Nevertheless, it should be pointed out that certain requirements of the Regulation are not directly addressed by such certification (such as the right to be informed, the right to erasure, and the right to data portability).
As a general comment, the above implies that controllers and processors should carefully evaluate whether the current certification offering is such to demonstrate compliance with the rules set forth by the Regulation and avoid possible misunderstandings.
On the other hand, data subjects – even if certifications can grant a certain level of data protection pursuant to the Regulation – should be aware that this will not amount to a complete guaranty of compliance.
Hopefully this uncertain situation will be quickly resolved with a common and shared solution identified by the relevant authorities. The deadline for adoption of the GDPR is not that far off and, considering the significant efforts required from all of the involved operators, a lack of clear guidelines may create confusion and lead to postponements and the adoption of temporary solutions which could impair the creation of commonality at the EU level.
Article provided by: Avv. Iacopo Destri, Italy
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
CPC project office: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.at
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010