Data Protection Certification Mechanisms OT OU ee a eee eg (Ura ‘The European Commission study on the GDPR certification mechanisms pursuant to art.42 and 43 was commissioned to the prestigious University of Tilburg, in order to verify the opportunities already present at European level in the area of certifications. TARGET ‘* Explain the art. 42 and 43 and bring them back to the specific terminology of the "certification sector® (ISO 17065: 2012). ‘+ Map the existing certification schemes, in the member states and at the level of the main trading partners (total 117) by selecting them on the basis of substantive and procedural requirements and correlating them to technical standards, ‘assessing the advantages and disadvantages in detail. += Provide recommendations (Article 43.8) based on point 2 for: ~ criteria for certifications (art. 42.5) - additional requirements for the accreditation of certificaion bodies - technical standards for certification and mechanisms to promote and recognize these certificaion mechanisms, seals and marks (article 43.9) identification of any appropriate guarantees in relation to the transfer of personal data to third countries Of these 117 schemes only 15 were selected as a more in-depth case study.Final Report Data Protectian Certification Mechanism “Study on Articles 42 and 43 of the Regulation (EU) 206/679" Ful date protection + S185 10012 (Uk) + Scope Partly focusing on data + TOV aia ISO/IEC 27001 + Normative ertena protection + BSIISOMEC 27018 (UK) Scheme arrangements Bata protection related * Cetiicazone ISOP 10003-2015 Data ‘topics (cyber security) protection (IT) + Conformity assessment ‘+ Datenschutzaut beim ULO (OE) 1 Gertheatlon issuance, ‘+ E:prvacy app (OE) 2 Renewal + EuroPrise (DE) er scoring + heepSate Coppa Sate Harbor (US) Ws ‘Label CNIL digtal safe bores (FR) Lerallicety ‘+ Health Personal Data Storage ‘+ Complaint and dispute ‘Agreement (FR) oso acerast + Mjobi Privacy Seal (NL) + Norea Privacy-Audt-Proof (NL) + PrivacyMark System (UP) Seats Dee teases ‘+ Trustare APEC CPR certiation (US) = ear i Moon wm or fant wo eo incoter evn ste ae Itc tc ete rpenton tl Ives Te un of mets Geeta anes Se eee aoa a sam tion Soren ean conte ada, * Fea Report ~ GDF Certification stu Rane 3)Final Report Data Protection Certification Mechanism “Study on Articles 42 and 43 of the Regulation (EU) 2016/679" Alll processes v. dedicated processes (tab. 3.4) Several of the certifications that were analysed, certify all types of processes while half of them focus on dedicated pro- cesses and two schemes only certify the conformity to mana- ‘gement systems dedicated to personal data. ntiction ape a sua Sa one) ‘TOV itis "TSOEE ont cote (nematin eo) Alll processes v. dedicated processes (tab. 3.7) ‘Several schemes have an international scope in the sense that they offer to certify entities established inside and outside the EU. Other certifications certify entities registered within the national territory of the scheme operator. Multi-sector (or sector-neutral) vs single sector (tab. 3.5) Several schemes claim a multi-sectoral coverage, offering cer- tification of processes in all business activities, while some others focus on dedicated business activities. All processes v. dedicated processes (tab. 3.8) ‘A Comprehensive model encompasses certifications certifying against the vast majority of provisions included in the GDPR or other data protection laws. On the other hand, a single-issue certification model encompasses the schemes certifying the conformity with a single or limited number of legal obligations in the regulation. cent selsFinal Report Data Protection Certification Mechanism "study on Articles 42 and 43 of the Regulation (EU) 2016/679" Sa European Sehome = © © @ Om ‘Soeleeisalsoluion: (BoUeCholstcammaach: | Oneabefivalsciuion. | Oneaketeallaahtion: SreeseS 10oIr coving at | ISONEC TOO stand atz> | SOFETEOCAecovmtng at | EP covering a aot of {tents cttte Go>R mone chore. | contxier ote SO shoe | fants ctGDPR complance | GOPR conpsance none char ‘Tas epproachmgttte mre emcent | spproadrercuatng eecutyand | tnone sche Tie ‘Ts aprcocncauls be ear and ac cosefecre or SES ‘Bhaoy sunderacatonwitina | epgranch coud veces | cheaper fr aall compan, The Exneclrtoore oftecmical” | andcheapetor SMEs.” | sche as ters tba coy Managamentavstemaseeaacn: | sonrde rosin ad rocston ‘he managernt system cost fomonsng ata oie approach ‘less mpactdtyeemolacca! | Widaspesad adaption aadnass ‘ounce saat, Benefits | chongenfan process and product | TrelGOMEC 27001 alolevrages | The scheme actve Sariteabon an his potently mere | the busnessaeamiarty withthe | The requirements, are | Cavaage: ‘orale or cs ISo vecanuiay and approach." | GOPRresay and have beon | EscoPrGes covering lost ot Itsergtnacy Bstisaalinown | folowing e|c0 90% success. | recently andated nengisn, | GOPR conpuanc one chee. ‘erecognes caicaton bady | The SOME 27001 Stas apron cal be eas ard srotome, ‘pogrnaelybecoring amare Cheaper lr smatcomparies Th [SoPRreadouss The scares ave | standard hreaingy que By Scheme ao ofr both cathy Sidhe requrements hasbeen | IT buyor {aes e lana wa te GOPR Management avaien cediicalon ‘he sana coring marapeont | Gut bo GOPR scope Errore covering a aot of ‘tions ae ouletArcle 420 scope "| Raters o management stone {SopR comance none hare: oueian a2 sone ‘as approch auld be ear and ee Paylog access: Paving accss: cheaper fx sratcompanis he These valet son Ffusancetisavalasie | Schermeac ers wat ce sayment win alee Produce and prosenter Eamonevatng into spproach Suns snail ee Ant 28 Art. 32 Art. 24 Art. 24/Art. 28 opr OR Out of he scope art. 42 Out of the scope art. 42 In scope art. 42 In scope art 42 Isonec 170212012 ‘sonee 170212012 tsoree 170852012 ISOnEC 170682012 Accreditation Managemen! sytem Management sytem ogc proces aervces | rosie process saves ~amopiye table of Ane by Osetra 679 DATA PROTECTION CERTIFICATION MODELS « w" ‘oxtver 15, 201%, 1000-1300