La certificazione ai sensi del GDPR: uno strumento di accountability per lo sviluppo della data protection

The protection of personal data is a highly topical and relevant issue, especially in light

of recent developments in computational science and artificial intelligence. These

sectors, in fact, offer new possibilities for the collection, analysis, and use of personal

data, but also present new challenges and risks for the protection of privacy and

fundamental rights of individuals. With the emergence of these new challenges, the

application of the General Data Protection Regulation (GDPR) has also been influenced,

leading to new solutions for managing informational privacy to adapt to new needs and

ensure a balance between innovation and confidentiality. This is also reflected in

numerous rulings of the Court of Justice of the European Union and regulatory

interventions by the European Data Protection Board (EDPB) and national data

protection authorities, all aimed at ensuring that the European technological revolution

places data protection at the top of the priority list.

Considering this context, an important tool has recently emerged to ensure the correct

implementation of data protection measures, namely certification mechanisms.

This paper aims to conduct a thorough analysis of the role of data protection

certifications as an effective tool for accountability in demonstrating compliance with

GDPR regulations. These tools, as provided in art. 42 and 43 of Regulation (EU)

2016/679, allow for the attestation of the adequacy and effectiveness of technical and

organizational measures taken to prevent risks to the rights and freedoms of individuals

arising from the processing of personal data.

Considering the complexities of certification mechanisms, will be examined in depth the

obligations and primary guarantees that must be implemented in accordance with art.

6, par. 2 of the GDPR to lawfully conduct personal data processing. Furthermore, we will

outline the organizational methodology that an organization must adopt to document

and be accountable for its processing activities.

In the second chapter, will be considered the concepts and requirements necessary for

the establishment, creation, approval and allocation of certification schemes, identifying

their scope and applicability based on art. 42 and 43 of the GDPR. These characteristics

represent the most significant challenge in the certification discipline. Indeed, the

Regulation is silent on dictating the conditions under which certification criteria should

be developed. Due to this uncertainty, the intervention of the EDPB has become

necessary to identify the key features of certification criteria on which the mechanisms

should be based. Nevertheless, some aspects of the certification process remain

uncovered. Finally, the thesis will explore the legal, as well as reputational, advantages

and consequences resulting from participation in a certification mechanism, both for

data controllers and data subjects.

From the legal and regulatory aspects outlined in the earlier chapters, will be moved on

to address the practical aspect, represented by the existing certification mechanisms

that have been approved under art. 42 of the GDPR. Will be scrutinized the main

features of these solutions, such as their target of evaluation, functionalities, control

criteria, and post-issuance verification mechanisms, in order to understand their

effectiveness in establishing an appropriate technical and organizational framework for

ensuring the proper processing of personal data.

The paper continues by emphasizing the importance of certifications for the protection

of personal data as a tool for accountability, transparency and trust in the digital market,

as well as an opportunity for development and innovation for businesses operating in

the digital services and artificial intelligence sectors. This examination will be conducted

by observing the various points of contact between the certification mechanisms under

the GDPR and the new legislative initiatives put forth by the European Commission from

2020 to date to address the new digital revolution stemming from datafication.

Furthermore, the analysis has been enriched by describing the regulatory framework of

some non-European jurisdictions. This comparative analysis allows to understand the

role that privacy or data protection certifications play in strengthening national

regulations and the culture related to the data protection. The results obtained from

this study have shown how the "alignment" with the European Union's regulations has

influenced the legislation of the United Kingdom in providing for co-regulation

mechanisms that facilitate the implementation of obligations prescribed by the relevant

national data protection regulations (UK-GDPR). In the United States and Canada, on the

other hand, the situation is different: privacy certifications represent an attempt at

private self-regulation that, in the absence of any public oversight, is at a higher risk of

being susceptible to market abuses.

Certifications under the GDPR are certainly not a cure-all for resolving all the challenges

that may characterize personal data processing, especially in more complex scenarios.

However, they can help lay a solid foundation for effectively designing the technical and

organizational measures required to meet the accountability principle. Adherence to a

certification mechanism, as well as a code of conduct, represents the best option for

ensuring transparency and the security of personal data processing, potentially

increasing the trust of stakeholders in digital services and new technologies.