GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
This Article shall not apply to processing carried out by public authorities and bodies.
COMMENTARY:
Article 41 authorises, on certain conditions, an independent body to monitor the compliance with a code of conduct approved under article 40 without prejudice to the tasks and powers of the competent supervisory authority pursuant to Articles 57 and 58. Paragraph 1 stipulates that the monitoring of compliance may be carried out only by a body, which has an appropriate level of expertise in relation to the subject- matter of the code.
The second paragraph sets out the conditions that such body must meet:
it must have demonstrated its independence and expertise in relation to the subject-matter of the code to monitor (a);
the body must have established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their
compliance with its provisions and to periodically review its operation (b);
the body must have established transparent procedures to handle complaints about infringements of the code by a controller or processor, by guaranteeing the absence of conflicts of interest (c);
the body must have demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests (d).
The competent supervisory authority shall submit the draft criteria as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63 (3). Without prejudice to the tasks and powers of the competent supervisory authority, such body shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them. The competent supervisory authority shall revoke the accreditation of a body if the conditions for accreditation are not met or where actions taken by the body infringe this Regulation. This provision shall not apply to processing carried out by public authorities and bodies.
There was no provision of the Directive for monitoring of the approved codes as no procedure for approval of such codes was provided. We may wonder what will be the status of the control body in national law, separate from the national supervisory authority. A priori, it will not a public institution, but private, which would then have powers of sanctions with respect to an enterprise established as appropriate in a third country. The regulation says nothing either in terms of the management of the costs of this compulsory control, which may also pose difficulties, in addition to the management of potential conflicts of interest. Also, it should be noted that the provision does not apply to public authorities and public institutions even though they are not excluded from article 38 and are therefore required to adopt the codes.
We may also ask which conditions precisely these qualifications of public authorities meet as not defined by the Regulation.
Art. 42 GDPR Certification
The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
The certification shall be voluntary and available via a process that is transparent.
A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the Board approves the criteria, this may result in a common certification, the European Data Protection Seal.
The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met.
The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.
Suitable Recitals
Certification.
Art. 43 GDPR Certification bodies
Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:
The supervisory authority which is competent pursuant to Article 55 or 56;
The national accreditation body named in accordance with Regulation (EC) No 765/2008of the European Parliament and of the Council in accordance with EN- ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority, which is competent pursuant to Article 55 or 56.
Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
Demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;
Undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;
Established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;
Established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
Demonstrated, to the satisfaction of the competent supervisory authority that their tasks and duties do not result in a conflict of interests.
The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged
in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board.
Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
COMMENTARY:
Main elements of GDPR Articles 42 and 43
The GDPR introduced certification as a means for a data controller or a data processor to demonstrate compliance of a processing operation with the Regulation. An additional function of certification in the context of the GDPR is to enhance transparency, since certifications, seals, and marks allow data subjects to “quickly assess the level of data protection of relevant products and services”.
Certification as an accountability-based mechanism
Certification is well linked to the newly introduced principle of accountability. As already highlighted by the Article 29 Data Protection Working Party in 2010, data protection needed additional mechanisms that translate legal requirements into real data protection measures. Certification and seals are treated as accountability-based
mechanisms, due to their potential effect to facilitate scalability, compliance, transparency, and to some extent legal certainty.
Art. 5(2) GDPR requires the data controller to both comply with the principles relating to the processing of personal data and demonstrate its compliance. Demonstration of compliance in practice may require multiple actions, such as proper documentation and record keeping (in line with art. 30 GDPR). Certification can play a role in that respect; a controller that has had its processing operations successfully evaluated by a certification body may use the certification and its supporting documentation as an element to demonstrate compliance to the supervisory authority. The fact that data protection certification in the GDPR is an accountability-based mechanism is supported by its voluntary nature.
Certification of compliance with GDPR provisions
As the GDPR provides in Art. 42 (4), a certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation, meaning that compliance with the GDPR is not possible to be certified. What can be certified is compliance with certification criteria that are derived from the GDPR. Compliance with such criteria entails that a controller or processor at a certain period in time has taken measures to ensure that it fulfills certain obligations, for instance to secure personal data in a given processing operation.
In general, where the EU legislature, intends to assign a different effect to certification or self-declaration of conformity, this is explicitly provided in the legislation. For instance, conformity with harmonised standards that are developed on the basis of the New Approach Directives, offer a presumption of conformity with the legislation and this is explicitly provided for in the relevant law.
Certification bodies and Supervisory authorities
The data protection mechanisms as proposed in Art. 42 and 43 GDPR involve mainly the following actors:
The data controller or data processor that aims to apply for certification (‘applicant’)
The certification body
The supervisory authority (data protection authority)
The European Data Protection Board (EDPB)
The certification bodies and the supervisory authorities are key actors in the certification process. Certification may be conducted by either a certification body that fulfills the conditions of Art. 43 GDPR, or by a supervisory authority. The GDPR does not determine when a certification body conducts the process and when by a supervisory authority. This legal gap appears to be intentional: Member States and national supervisory authorities may organise certification at a national level according to their preferred model.
After the evaluation phase, in the case that the applicant fulfills the necessary requirements, certification is granted by the certification body or the supervisory authority. Certification is issued for three years, and may be renewed. It is important to mention that even when the certification body issues the certification, the supervisory authority has several powers, such as to withdraw the certification or order the certification body to withdraw the certification.
The supervisory authorities also have the power to approve criteria for certification. Not every certification in the field of data protection
Comments (0)