La certificazione ai sensi del GDPR: uno strumento di accountability per lo sviluppo della data protection
Creators
Description
The protection of personal data is a highly topical and relevant issue, especially in light
of recent developments in computational science and artificial intelligence. These
sectors, in fact, offer new possibilities for the collection, analysis, and use of personal
data, but also present new challenges and risks for the protection of privacy and
fundamental rights of individuals. With the emergence of these new challenges, the
application of the General Data Protection Regulation (GDPR) has also been influenced,
leading to new solutions for managing informational privacy to adapt to new needs and
ensure a balance between innovation and confidentiality. This is also reflected in
numerous rulings of the Court of Justice of the European Union and regulatory
interventions by the European Data Protection Board (EDPB) and national data
protection authorities, all aimed at ensuring that the European technological revolution
places data protection at the top of the priority list.
Considering this context, an important tool has recently emerged to ensure the correct
implementation of data protection measures, namely certification mechanisms.
This paper aims to conduct a thorough analysis of the role of data protection
certifications as an effective tool for accountability in demonstrating compliance with
GDPR regulations. These tools, as provided in art. 42 and 43 of Regulation (EU)
2016/679, allow for the attestation of the adequacy and effectiveness of technical and
organizational measures taken to prevent risks to the rights and freedoms of individuals
arising from the processing of personal data.
Considering the complexities of certification mechanisms, will be examined in depth the
obligations and primary guarantees that must be implemented in accordance with art.
6, par. 2 of the GDPR to lawfully conduct personal data processing. Furthermore, we will
outline the organizational methodology that an organization must adopt to document
and be accountable for its processing activities.
In the second chapter, will be considered the concepts and requirements necessary for
the establishment, creation, approval and allocation of certification schemes, identifying
their scope and applicability based on art. 42 and 43 of the GDPR. These characteristics
represent the most significant challenge in the certification discipline. Indeed, the
Regulation is silent on dictating the conditions under which certification criteria should
be developed. Due to this uncertainty, the intervention of the EDPB has become
necessary to identify the key features of certification criteria on which the mechanisms
should be based. Nevertheless, some aspects of the certification process remain
uncovered. Finally, the thesis will explore the legal, as well as reputational, advantages
and consequences resulting from participation in a certification mechanism, both for
data controllers and data subjects.
From the legal and regulatory aspects outlined in the earlier chapters, will be moved on
to address the practical aspect, represented by the existing certification mechanisms
that have been approved under art. 42 of the GDPR. Will be scrutinized the main
features of these solutions, such as their target of evaluation, functionalities, control
criteria, and post-issuance verification mechanisms, in order to understand their
effectiveness in establishing an appropriate technical and organizational framework for
ensuring the proper processing of personal data.
The paper continues by emphasizing the importance of certifications for the protection
of personal data as a tool for accountability, transparency and trust in the digital market,
as well as an opportunity for development and innovation for businesses operating in
the digital services and artificial intelligence sectors. This examination will be conducted
by observing the various points of contact between the certification mechanisms under
the GDPR and the new legislative initiatives put forth by the European Commission from
2020 to date to address the new digital revolution stemming from datafication.
Furthermore, the analysis has been enriched by describing the regulatory framework of
some non-European jurisdictions. This comparative analysis allows to understand the
role that privacy or data protection certifications play in strengthening national
regulations and the culture related to the data protection. The results obtained from
this study have shown how the "alignment" with the European Union's regulations has
influenced the legislation of the United Kingdom in providing for co-regulation
mechanisms that facilitate the implementation of obligations prescribed by the relevant
national data protection regulations (UK-GDPR). In the United States and Canada, on the
other hand, the situation is different: privacy certifications represent an attempt at
private self-regulation that, in the absence of any public oversight, is at a higher risk of
being susceptible to market abuses.
Certifications under the GDPR are certainly not a cure-all for resolving all the challenges
that may characterize personal data processing, especially in more complex scenarios.
However, they can help lay a solid foundation for effectively designing the technical and
organizational measures required to meet the accountability principle. Adherence to a
certification mechanism, as well as a code of conduct, represents the best option for
ensuring transparency and the security of personal data processing, potentially
increasing the trust of stakeholders in digital services and new technologies.
Files
LTSP 91 Razmik.pdf
Files
(2.2 MB)
Name | Size | Download all |
---|---|---|
md5:80160701bc65f69549712aacca53fbea
|
2.2 MB | Preview Download |
Additional details
Dates
- Accepted
-
2023-10-27