Absence of fights of interest, suitable staff training, management of complaints, periodic checks on certified services and products. These are some of the requirements fixed by the Garante of Personal Data Protection for the accreditation of certification bodies which can attest the respect of the legislation of the European General Data Protection Regulation (GDPR) by companies and bodies which process personal data in order to offer specific products or services.
The European Regulation provides that the issue of certification about personal data protection is made by bodies accredited to carry out these functions. In Italy, the legislator has assigned the accreditation task to Accredia. The accreditation must happen based on the requirements included into the technical international legislation EN-ISO/IEC 17065:2012 y additional requirement established by the National Privacy Authority, based on a common model defined by the European Data Protection Board (EDPB).
The measure of the Garante with include these additional requirements has been adopted after the favorable opinion issued by the EDPB and establish that Accredia controls that the certification bodies meet criteria of honorability, independence and impartiality, attesting to the absence of conflicts of interest with those wishing to certify.
In addition, certifiers will need to be staffed with qualified and constantly up-to-date staff, adopt appropriate complaints management processes and implement regular surveillance procedures on certified products, processes and services.
Additional specific requirements identified by the Garanterelate to the certification agreements defined by the certification bodies with their customers that will, for example, contain clauses that ensure full transparency about the activity carried out by the controller of the processor of the certified treatment.
The Authority stresses that certification is an important element in terms of accountability – because it attests, through independent bodies, to the commitment to comply with GDPR by the company or the institution that obtains it – and contributes to increasing users’ confidence in the management of their personal data.
The certification, however, recalls the Authority, does not exhaust the obligations of compliance of the GDPR and, in any case, leaves the tasks and powers of control of the Garante unprejudiced.
SOURCE: FEDERPRIVACY