European Data Protection Certification

06 dicembre 2017

On November 29, 2017, Enisa issued the a report destined to familiarise data protection experts with the terminology of certification and to clarify concepts which are relevant to the General Data Protection Regulation (GDPR) certification. The report identifies and analyses challenges and opportunities faced by data protection certification mechanisms, including seals and marks

As of 25 May 2018, GDPR will be the main data protection legal framework in the EU and will be directly applicable to all EU Member States. GDPR will introduce provisions on certification to enhance the transparency of data controllers’ processing operations and the processors. The legislature also envisages a role of certification in assisting controllers and processors to demonstrate compliance with the regulation.

Prof. Dr. Udo Helmbrecht, Executive Director of ENISA, stated: “The GDPR is a landmark piece of legislation which is designed to protect personal information. Given the digitalisation of our world protecting our personal data is critical to the operation of the Digital Single Market, I expect that this report will contribute to the effective implementation of this important piece of legislation.”

Goal-oriented certifications

GDPR data protection mechanisms should not focus only on whether measures are in place or not, but also on to what extent such measures are sufficient in ensuring compliance with the provisions of the regulation.

Certifying a processing operation

 The GDPR regulates the processing of personal data, which may be conducted for a product, system or service. The regulation requires that a certification mechanism under GDPR must concern an activity of data processing. However, the certification must be granted in relation to the processing activity or activities and not to the product, system or service as such.

 Certification as an accountability-based mechanism

 A controller that has had its processing operations successfully evaluated by a certification body may use the certification and its supporting documentation as an element to demonstrate compliance to the supervisory authority. The fact that data protection certification in the GDPR is an accountability-based mechanism is supported by its voluntary nature.

 The recommendations of the report are meant to be of use to all actors involved, from the European Commission and the European Data Protection Board to national certification bodies and supervisory authorities – who are in a position to develop a harmonised understanding of GDPR data protection certification mechanisms and to provide further guidelines should queries and/or challenges arise.

Archivio news

 

News dello studio

set8

08/09/2025

Misure di sicurezza Nis 2

Entro il 1 ottobre 2026, i soggetti NIS che hanno ricevuto la comunicazione dall’ Agenzia per la cybersicurezza nazionale di inserimento nell’elenco nazionale NIS sono tenuti ad adottare le

set8

08/09/2025

Zalando: rimane piattaforma "di dimensione molto grande"

La sentenza del Tribunale europeo, nella causa T-348/23 | Zalando / Commissione, respinge il ricorso della Zalando contro la designazione della sua piattaforma omonima come piattaforma online

set8

08/09/2025

Protezione dei dati: il Tribunale respinge il ricorso diretto all'annullamento del nuovo quadro per il trasferimento di dati personali tra l'Unione europea e gli Stati Uniti

La Sentenza del Tribunale  Europeo, nella causa T-553/23 | Latombe / Commissione,  conferma che, alla data di adozione della decisione impugnata, gli Stati Uniti d'America garantivano

News Giuridiche

set16

16/09/2025

Riforma costituzionale della magistratura, è giurisprudenza creativa?

L'iter parlamentare è in corso al Senato,

set16

16/09/2025

Antiriciclaggio: cambiamenti in arrivo per professionisti e studi

La Legge 13 giugno 2025, n. 91, pubblicata

set16

16/09/2025

False comunicazioni sociali: più reati se il falso si ripropone nei bilanci successivi

La Cassazione chiarisce la natura plurima