Certification: a European Regulation 2016/679 (hereinafter GDPR) area which seems to be in the half-light, sheltered (talking about an important news of the new personal data protection discipline) on which the Authority has felt the need, by the FAQ set up with the cooperation of Accredia and published for a few days (which will refer to quotation, where it is not otherwise specified) to communicate some basic concepts both to citizens that to experts.
First of all (here is premised) the “Accreditation & certification” is an indissoluble combination: if a certification body has not been accredited, it could not certify anything, and the accreditation (as a “independent and authoritative form of fairness impartiality, competences and adequacy of assessing the compliance bodies” FAQ n.2) by its own would not have sense, because it function is provide guarantees to the compliance market of certification bodies to required requirements.
It is about the creation of a real trust system, of which an “accredited” certification in the measures in which – it is explained in the FAQ n. 1 – it is demonstrated, by the unique national accreditation body, “of the impartiality, competence and adequacy” of a certification body.
In the Italian legal system with the article 2- septiesdecies of the Legislative Decree n. 193/2003 (as modified by the Legislative Decree 101/2018) it is established that the “national accreditation body of which the article 43, paragraph 1, letter b), of the Regulation is the Unique National Accreditation Body, made up pursuant to the Regulation (CE) n. 765/2008 of the European Parliament and the Council of the 9th of July 2018, except the power of the Italian DPA to directly assume, with deliberation published into the Official Journal of the Italian Republic and in case of serious non-compliance of its tasks by the Unique National Certification Body, the exercise of its functions, also referred to one or more processing categories”.
It has been adopted a choice of continuity compared to the past, also against the possibility – granted by the article 43, paragraph 1 of the GDPR – that certification bodies are accredited by “one or more of the following bodies”: by the supervisory authority and/or the national accreditation body. Italy has chosen Accredia as a Unique National Accreditation Body (FAQ n. 5, except the resort to an exceptional situation, as seen).
For this reason, the supervisory authority does not accredit the certification bodies (like the Authority specifies into the introduction to the document) but, at closely (and even this is specified by the Authority, FAQ n. 8), neither belong (even if it would be permitted by the article 42 of the GDPR) the power of certification which means to carry out the function of certification body. If, in general, the certification is a certification issued by a third party (certification body) connected to an object (product, processing, service, person or system) submitted to a compliance assessment compared to the requirement included into a technical legislation (standard) or in a specific disciplinary, however the subject of the certification ex article 42 of the GDPR is a processing or more processing of personal data (FAQ n. 6).
As explained by the Authority, given that the definition of “processing” of personal data is widely, “also the subject of the certification may vary to a considerable extent and may include a whole operation of processing (for example: the storage of personal data) which is processing operation (for example: the recollection, storage, provision) carried out by the data controller and the data processor”, and in the measure in which one or more processing constitute a “service” or a “product”, the certification can have as a subject this service or product (for example: management service of the staff in a company)”.
What is sure is that the certification on the GDPR filed does not refer/cover a management system: the election is incontrovertible, right the prevision of the article 43, paragraph 1, letter b) which recalls the legislation ISO 17065:2012.
You should not make a mess with the standard with which are certified the managing systems (like the ISO 27001, which is based on the legislation ISO 17021-1), as they are something quite different for the staff certification (as the UNI 11697/2017, recalled into the FAQ n. 12, which is based on the legislation ISO 17024), equally not part of the certification disciplined by the article 12 of the GDPR. The Authority specifies that the certification according to the standard UNI 11697/2017 “can represent, on par with other titles, a valid instrument for the demonstration of the possession, and the maintenance of the acknowledges, skills and competences by experts”.
The company/body which choose to certify shall define the specific object of the certification that he/she wants to ask: the Authority remembers that the relative indication will be reported in the certificate issued by the certification body (FAQ n. 6), it shall be indicated clearly and is (it is added here) primary interest of the solicitant that the setting is coherent with the strategical decision (is the case of say it) assumed.
Talking about the advantages of a certification (FAQ n. 4), it represents “a useful instrument for data controller and processors to demonstrate the respect of obligations, sufficient guarantees and the compliance to personal data protection requirements.” Being requirements and obligation established by the legislation, the certification provides to the organization an immaterial infrastructure, designed by the scheme, which makes mandatory and operative the conjunction of obligation and security measures of which mandatory legislation, frequently in the practice, has revealed not enough “persuasive”.
The fundamental approach is a constant analysis and risks assessment, the transom is the accountability of the data controller (or the processor), the purpose is protecting rights and fundamental freedoms of natural persons, the philosophy is the continue improving. With this the “GDPR certification” can result particularly interesting for that organization which desire concretize and demonstrate their own compliance in order to consolidate/develop their own activities and/or increase transparency and reputation/confidence, like for example: companies in the marketing sectors, ICT, social health services, providers of services established in Third Countries, not few public bodies.
Reaffirmed with the FAQ n. 5 that the certification according to the GDPR shall be issued in compliance to certification schemes approved by the relevant supervisory authority, today there are two specific schemes (based on the GDPR), the ISDP 10003 Scheme and Europrise (the first one is Italian, the second one is German), which are waiting to be approved by the respective supervisory authorities.
What does this mean? That in the meantime the certifications issued will have a full validity in the system of technical and voluntary regulations, not in that of the law.
However, this does not mean that in this second system they will have no value or meaning, it would not be reasonable or fair, being/proving (even more so, we mean) evidence of the solicitude, accountability of certified organizations, and a certified company, without prejudice to all the advantages inherent in the certification, can still invoke (in order to see attenuated any administrative sanction) the provision of article 83, paragraph 2, letter k) (or letter d), if the certification is considered as a macro-measure of safety ex article 32), even if not of art. 83, paragraph 2, letter j).
A certification scheme “developed to be used in all Member States of the European Union” is what is called “European seal” (FAQ n. 7): to this end “the scope of the criteria of the certification scheme and, more generally, its suitability as a common European certification shall be taken into account”.
The further clarification that “the scheme and its criteria must be adaptable so as to take account, where appropriate, of the different national sectoral rules applicable to the processing of data subject to certification” may sound redundant: technical standards are designed and drafted to meet criteria of abstraction and generality (often lacking, rather, in public/state legislation), so as to make it structurally adaptable to the most disparate contexts, because this is (always) their mission.
With the FAQ n. 11 the Guarantor explains how a certification is subject to errors, even well before its expiry (article 42, paragraph 7 GDPR). Thus, where non-compliance with certification requirements is found as a result of (annual) monitoring or for any other reason, the certification body will have to examine the non-compliance and decide on the appropriate actions, which may consist in maintaining certification under specific conditions, suspending certification pending corrective action, reducing the scope of the certification or revoking it.
The latter is ordered by the body that issued it “if the requirements for certification are not or are no longer satisfied”, however, power not precluded by the supervisory authority, just the provision of article 58, paragraph 2, letter h), GDPR.
SOURCE: FEDERPRIVACY