Certification and GDPR: Italy’s DPA Clarifications
According to Article 23, paragraph 2, the adoption of such certification – which is not mandatory –does not reduce the responsibility of the controller or the processor for compliance with the Regulation and is without prejudice to the supervisory authorities’ obligations and powers.
Notwithstanding such clarification, it should be noted, however, that undergoing a certification process may lead to certain advantages. For example, according to Article 83, paragraph 2, when deciding whether or not to impose an administrative fine and deciding on the amount of an eventual administrative fine, the relevant DPA will take into consideration several circumstances including, the adherence to approved certification mechanisms pursuant to Article 42. Additionally, a certification process can also significantly support the controller and/or the processor in complying with the new paradigm created by the GDPR (i.e., the accountability of those subjects involved in the processing chain; having particular emphasis on the impact assessment and privacy by design/default principles). Additionally, certification will enable controllers and processors to gain a competitive advantage by distinguishing those organizations that meet the requirements of the law and provide trustworthy management of personal data from those that do not.
The entities empowered to grant such certification include the supervisory authority (for Italy the “Garante per la protezione dei dati personali”, hereinafter “Garante”) and the certification bodies.
The certification bodies, according to Article 43, paragraph 1, are accredited by the supervisory authority (the Garante) and/or by the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (for Italy ACCREDIA) in accordance with EN-ISO/IEC 17065/2012 and in accordance with additional requirements established by the supervisory authority pursuant to Articles 55 or 56. The identification of the accreditation body is made individually by each Member State.
The Garante, with its communication dated 18 July 2017, stated that the Italian legislator has not yet identified an entity authorized to cover the role of accreditation body for the purposes of the Regulation.
Therefore, it should be noted that the possible concentration of several roles in the supervisory authority (accreditation and certification body, on the one hand, regulatory, surveilling and sanctioning authority, on the other hand) could lead to certain criticalities because a strict division of power and authority is a fundamental guaranty of impartiality and democracy.
Furthermore, the Garante also noted that the “additional requirements” (as per Article 43, paragraph 1, letter b) or the “certification criteria” (as per Article 42, paragraph 5) have not been defined and that, to this end, the Garante is currently cooperating with other EU authorities in order to identify, by the end of 2017, a common framework of criteria for the accreditation of the certification bodies and the certification of the data processing in compliance with the Regulation.
Given this framework, it is worth highlighting that the Garante’s position, which specified that the certifications currently offered on the market cannot be considered as being in compliance with Articles 42 and 43 of the Regulation taking into account that the “additional requirements” and the “certification criteria” have not been set forth and approved thus far. However, the Garante also noted that such unofficial certifications will be considered as acts of diligence by the interested parties for the voluntary adoption of an analysis system and check of the applicable principles, laws and regulations.
For example, the certification ISO/IEC 27552 – Enhancement to ISO/IEC 27001 for privacy management - has been considered a best practice by some national DPAs. Nevertheless, it should be pointed out that certain requirements of the Regulation are not directly addressed by such certification (such as the right to be informed, the right to erasure, and the right to data portability).
As a general comment, the above implies that controllers and processors should carefully evaluate whether the current certification offering is such to demonstrate compliance with the rules set forth by the Regulation and avoid possible misunderstandings.
On the other hand, data subjects – even if certifications can grant a certain level of data protection pursuant to the Regulation – should be aware that this will not amount to a complete guaranty of compliance.
Hopefully this uncertain situation will be quickly resolved with a common and shared solution identified by the relevant authorities. The deadline for adoption of the GDPR is not that far off and, considering the significant efforts required from all of the involved operators, a lack of clear guidelines may create confusion and lead to postponements and the adoption of temporary solutions which could impair the creation of commonality at the EU level.
Article provided by: Avv. Iacopo Destri, Italy