In the realm where law meets technology, we find ourselves amidst a dynamic landscape shaped by rapid technological advancements and the sweeping embrace of globalisation. The scale of the collection and sharing of personal data has been increasing, resulting in novel challenges for data protection. With the entering into force of the General Data Protection Regulation (GDPR) in 2018, the EU endeavoured to facilitate and strengthen the protection of natural persons with regard to the processing of personal data and to ensure the free movement of such data.
Hence, data protection compliance has turned into a fundamental requirement for the stakeholders involved. Yet, while advancing the protection of individuals’ rights, it precipitates legal and financial risks for data controllers and processors. For instance, one of such risks is the possibility to face fines of up to 20 million euro or 4% of worldwide turnover (as outlined in Article 83 GDPR). However, to avoid and mitigate the risks that data controllers and processors might encounter, GDPR provides an opportunity for companies to get their data processing activities certified with an approved certification mechanism and thus demonstrate their compliance and conformity with data protection obligations.
Specifically, Article 42(1) provides that certification mechanisms shall be established ‘for the purpose of demonstrating compliance with this Regulation [GDPR] of processing operations by controllers and processors. The reference is, in particular, made to the obligations concerning the implementation and demonstration of appropriate technical and organisational measures and sufficient guarantees.
GDPR certification is more than a compliance checkbox or a bureaucratic procedure; it is a strategic investment in building a secure and privacy-oriented reality for businesses and individuals alike.
Ekaterina Kasyanova-Kühl, Legal Researcher at ECCP
Despite its voluntary nature, GDPR certification of data processing activities holds various benefits and key advantages for the companies pursuing it. Certification provides a concrete means of documenting and demonstrating adherence to GDPR requirements and as a result significantly reduces the likelihood of heavy fines for non-compliance. Even though mitigating financial risks by avoiding fines is perhaps the most obvious benefit, achieving certification also increases trust towards the company who, by means of certification, is able to showcase its dedication to safeguarding individuals’ rights in relation to data protection.
Certification mechanisms under GDPR
The certification mechanisms under GDPR can be differentiated into two types, namely, national certification mechanism and European Data Protection Seal.
A national certification mechanism operates, as it might be derived from its name, at the national level and is dedicated towards the controllers or processors established in the country where the mechanism has been adopted by the national Supervisory Authority. Certification within this type of certification mechanism can be granted by accredited national certification bodies and is recognised only by the EU Member State whose Supervisory Authority has adopted the mechanism.
GDPR-CARPA (Certified Assurance Report-Based Processing Activities Certification Criteria) adopted by the Luxembourgish National Data Protection Commission (CNPD) is a pioneer and a prominent example of a national certification mechanism. To benefit from this certification, an entity shall be established in Luxembourg.
The European Data Protection Seal, on the other hand, has a broader scope that transcends national boundaries (however, not the borders of the EU). Once endorsed, such certification mechanism is recognised by all EU Member States, while the certification might be granted by certification bodies accredited in any of the EU Member States.
Europrivacy (TM/©) has been approved by the EDPB (European Data Protection Board) as the European Data Protection Seal to assess and certify compliance of various kinds of data processing with the GDPR and complementary national data protection regulations. Europrivacy is applicable to almost all data processing activities, including to innovative technologies such as Artificial Intelligence, blockchain, e-health, and Internet of Things.
While the Europrivacy methodology can be applied to diverse targets of evaluations, Article 42 GDPR sets forth a limit of certification to data processing activities only. Consequently, within the jurisdictions of the EU Member States, it is not possible to certify a whole entity or its management system at once. The silver lining is, however, that compliance can be progressively certified, starting with priority data processing activities and extending the certification step by step to more data processing.
Where data breaches and privacy concerns frequent the news headlines, GDPR certification emerges as a beacon of reassurance. Despite its voluntary nature, it is a demonstration of trustworthiness and commitment as well as a powerful tool of maintaining a competitive edge. GDPR certification is more than a compliance checkbox or a bureaucratic procedure; it is a strategic investment in building a secure and privacy-oriented reality for businesses and individuals alike.
References:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Controller and processor are defined in Article 4(7) and (8) GDPR respectively.
- Décision N° 15/2022 du 13 mai 2022 de la Commission nationale pour la protection des données portant exécution de l’article 15 de la loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données; available at: https://cnpd.public.lu/content/dam/cnpd/fr/professionnels/certification/decision-n-15-2022-du-13-mai-2022-criteres-de-certification.pdf
- Opinion 28/2022 on the Europrivacy criteria of certification regarding their approval by the Board as European Data Protection Seal pursuant to Article 42.5 (GDPR); available at: https://edpb.europa.eu/system/files/2022-10/edpb_opinion_202228_approval_of_europrivacy_certification_criteria_as_eu_data_protection_seal_en.pdf
- More information is available at: https://europrivacy.org/index.php/en