GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) π
Read free book Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ» - read online or download for free at americanlibrarybooks.com
- Author: Adv. Prashant Mali
Read book online Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ». Author - Adv. Prashant Mali
Scope of certification under GDPR
As highlighted, not every certification in the field of data protection is automatically a data protection certification mechanism as provided in the GDPR. In fact, the GDPR appears to be quite limiting when providing the scope of processing activities where data controllers and processors can use certification as an element to show compliance. The scope is mainly limited by the following conditions:
Purpose of certification
According to Article 42 of GDPR, βThe Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processorsβ. The purpose of a data protection certification mechanism under GDPR is thus demonstrating compliance with the Regulation of processing operations by controllers and processors, which clarifies that the substantive requirements a client must fulfill must be related to the provisions of the GDPR, for example to demonstrate compliance with the provision on data security (Art. 32). If a certification mechanism involves a scope that is not in the scope of the GDPR, for example a data protection education course, such a mechanism cannot be used to demonstrate compliance with the GDPR. Such a certification mechanism would therefore not be in the scope of Art. 42 & Art. 43 of the GDPR data protection certification mechanisms. Nevertheless, such certification may exist in the free market and potentially contribute to raising the levels of data protection awareness.
Processing operation
The object of certification must be a processing operation. The GDPR regulates the processing of personal data, which may be conducted in the context of a product
or system or a service. However, the wording of Art. 42(1) requires that a certification mechanism under GDPR must concern an activity of data processing. Such an activity may be (also an integral) part of a product, a system, or service, but the certification must be granted in relation to the processing activities, and not to the product, system or service as such (e. g. certification of data deletion process in product X).
Controllers or processors
The reference to βby controllers or processorsβ limits the scope of applicants that can opt for certification under the GDPR to controllers and processors. Producers or manufacturers of products, systems and services, if they do not process any personal data, as controllers or processors, are not in the scope of the GDPR certification mechanisms. Nevertheless, there might be certifications in the market, aimed at manufacturers (e.g. OS providers and mobile device manufacturers), in relation to data protection-friendly configuration of products or systems, which will undoubtedly contribute to raise the level of data protection. However, they will be outside of the scope of the GDPR data protection certification mechanisms of Art. 42 and 43 GDPR.
Accreditation of certification bodies
A substantial part of the GDPR provisions on certification refers to accreditation. The legislature emphasizes the importance of having reliable, competent, and independent bodies carrying out the certification by devoting Art. 43 GDPR to certification bodies. Art. 43 GDPR requires the certification bodies that provide data protection certifications to be accredited. The GDPR allows the Member States to select the accreditation model they will follow, from a selection of three options:
Accreditation by a Data Protection Authority (or the European Data Protection Board, in the case of the European Data Protection Seal) 27,
Accreditation by the National Accreditation Body on the basis of the Accreditation Regulation and the ISO/IEC 17065:2012 standard and additional requirements in the field of data protection provided by the Data Protection Authority, or
Both authorities, namely the National Accreditation Body and the competent Data Protection Authority, collaborating in this task.
* * *
CHAPTER 5: TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONSArt. 44 GDPR General Principle for transfers
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
Suitable Recitals
General principles for international data transfers; (102) International agreements for an appropriate level of data protection.
COMMENTARY:
Article 44 is intended to state the general principle governing data transfers to non-EU third countries or international organizations. These transfers can only be effected if the controllers and the processors falling under the scope of the Regulation comply with the rules provided in Chapter V. The provision gives however a new extension to the rule: transfers of personal data to a third country or to an international organization operated as part of planned or ongoing processing are covered, but also the future processing by the recipient third country to another country or another organization. They must also comply with Chapter V of the Regulation. In other words, by this provision, the Regulation sets up a sort of data protection-specific βright to pursueβ: the data transferred outside the Union remain subject to the law of the Union not only for their transfer, but also for any processing and subsequent transfer.
The concept of international organization, defined in article 4, 26) of the Regulation is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. This provision has been reintroduced by the final version of the Regulation, after having been removed from the second proposed version. The goal, as referred to in the provision is that the level of protection of individuals guaranteed by the Regulations is not lowered.
The extension of the territorial scope to processing carried out outside the territory of the Union, by recipient controllers and processors established outside the EU has both political and legal implications. Politically, the provision allows the European authorities to intervene and detect violations of the Regulation outside the EU on the grounds of a new legitimacy included in the Regulation. It can more easily use the argument of the data protection in different files or negotiations in order to
obtain an advantage. Legally, it goes without saying that the provision may be felt by third countries as an attack on their sovereignty because it imposes a new rule on their territory and a limitation of the freedom of processing. The powers of control and enforcement of the EU authorities and the Member States, of course, cannot be exercised outside the territory of the EU.
The measure must be taken of the difference with other rules allowing the application of the Regulation to controllers established outside the territory of the EU (see Article 3). It is an indirect submission since only the controllers and the processors who are subject to the other provisions of the Regulation pursuant to Article 3, must comply with Article 44 and accordingly, Chapter V. There is no recipient of the transferred data. Or any person concerned by the data, which would be at the origin of the transfer either.
Art. 45 GDPR Transfers on the basis of an adequacy decision
A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
The international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.
The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).
The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.
A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.
The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.
Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.
Suitable Recitals
(103) Appropriate level of data protection based on an adequacy decision; (104) Criteria for an adequacy decision; (105) Consideration of international agreements for an adequacy decision; (106) Monitoring and periodic review of the level of data protection; (107) Amendment, revocation and suspension of adequacy decisions.
COMMENTARY:
Article 45, paragraph (1) of the GDPR, The concept of βadequate level of protectionβ which already existed
Comments (0)