Czech Republic: GDPR certification mechanism
Articles 42 and 43 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') set down the requirements and potential mechanisms of data protection certification which the Member States are obliged to implement. Jana Pattynová and Teodora Drašković, from Pierstone, comment on the certification mechanism, and explain the processes involved in obtaining certification.
The purpose of certification is for a data controller or data processor, for example, a company offering services or software solutions, to demonstrate that it is compliant with the GDPR, which should therefore make its products and services more trusted by its customers and other concerned data subjects. As stated in the Recital 100 of the GDPR, the goal of certification is to make processing activities and related services more transparent.
The certification mechanism is similar in nature to codes of conduct under Article 40 of the GDPR, however, codes of conduct are intended for a group of processors or controllers at a sectoral level, such as in the banking industry, whilst a certification should be granted to a specific controller or processor for a particular processing activity.
More importantly, the purpose of certification is to simplify data transfers to the third countries as certification may serve as an appropriate safeguard in the sense of Article 46 of the GDPR1.
Pursuant to Article 43 of the GDPR, there are three possible mechanisms as to how Member States may provide for GDPR certification:
- certificates issued by the supervisory authority itself;
- certificates issued by certification bodies which are accredited by the supervisory authority; or
- certificates issued by certification bodies which are accredited by a national accreditation body.
Certification criteria are to be set out by Member States themselves. The European Data Protection Board ('EDPB')2 has published two guidelines relating to certification, namely the Guidelines 1/2018 on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 of the GDPR3, which are addressed mainly to the supervisory authorities and determine the criteria which might be relevant for certification evaluation, and Guidelines 4/2018 on the Accreditation of Certification Bodies under Article 43 of the GDPR4, which are addressed to the supervisory authorities and national accreditation bodies and provide a framework of requirements which should be imposed on certification bodies.
The Czech supervisory authority, the Office for Personal Data Protection ('UOOU')5, issued a statement clarifying the certification procedure in Czech Republic6. Below, we provide an overview of the Czech certification mechanism, based on publicly available information.
Czech national accreditation body and certification bodies
In line with Section 15 of Act No. 110/2019 Coll. on the Processing of Personal Data ('the Act'), which supplements the GDPR, the Czech Republic implemented the third of the above-mentioned possible certification regimes, i.e. certificates will be issued by certification bodies which will be accredited by a national accreditation body.
The Czech Accreditation Institute ('the Institute') is authorised to act as the national accreditation body. The Institute is in charge of all accreditation systems and their recognition within the EU. The UOOU issued a statement, in which it considers the Institute independent and sufficiently experienced to carry out the GDPR certification7.
The Institute will subsequently evaluate and appoint individual certification bodies (private entities) which will be charged with assessing applications for GDPR certification and with issuing certificates.
For this purpose, and in line with Article 43 of the GDPR, the UOOU prepared two documents establishing the criteria for the appointment of certification bodies, and certification criteria requirements which the subjects applying for certification must fulfil to receive the certificate8.
Based on the criteria for appointment of certification bodies, the Institute will need to consider factors, such as solvency of the entity, absence of criminal conviction for crimes relating to the entity's business, knowledge, and experience of its employees in the domain of data protection.
Subsequently, the appointed certification bodies will be obliged to assess whether the relevant products of the subject requesting certification are compliant with the GDPR.
It should be stressed that the certificate may only be issued to a controller or processor of the personal data. Therefore, a data protection officer cannot be certified.
According to the UOOU, certification will mostly be relevant for the following services or processing activities:
- software development;
- IT hardware;
- technology provider or supplier's services;
- individual processing activities; and
- personal data protection management systems of a controller or processor.
Among the criteria that certification bodies will assess are documentation evidencing the compliance with Articles 6 and 9 of the GDPR, or evidence that data subjects are sufficiently informed, i.e. the information obligation is fulfilled. It should be noted that different criteria will apply to different products/data processing activities, for example, depending on the relevant legal basis. Once a certificate is issued, unless revoked, it will be valid for a period of three years.
The procedural aspects of certification are subject to the Act. No. 22/1997 Coll. on Technical Requirements for Products ('the Act on Technical Requirements'). For the sake of completeness, it should be noted that there currently are some language discrepancies between the terms used in Act on Technical Requirements and the Czech translation of the GDPR in relation to certification. It remains to be seen which of these pieces of legislation will be amended to match the other.
In line with the requirements of the GDPR, the UOOU provided the draft criteria to the EDPB for approval. After the approval, the final version of the criteria will be published in the UOOU's journal and provided to the Institute, which will follow them when appointing the certification bodies. The certification bodies will subsequently receive the certification criteria for evaluation of certification applications.
At the time of publication, it is not possible to apply for GDPR certification in the Czech Republic, as the criteria prepared by the UOOU is not yet binding and the Institute has not accredited any certification bodies. Once the situation changes, the UOOU should inform the public via its website.
1. See Article 42(2) of the GDPR.
2. The EDPB, see: https://edpb.europa.eu/.
3. See: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf
4. See: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201804_v3.0_accreditationcertificationbodies_annex1_en.pdf
5. In Czech:„Úřad pro ochranu osobních údajů“, see: www.uoou.cz
6. See: target="https://www.uoou.cz/certifikace-vydavani-osvedceni/d-27300">https://www.uoou.cz/certifikace-vydavani-osvedceni/d-27300
7. See: https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=23896
8. See: target="https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=27997">https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=27997