Clarification of confusion around obtaining a data protection certificate
Because there are many questions about the data protection certificate, the Data Protection Authority has issued a set of FAQs on the subject. We will try to quote the document for you in an easy to understand form.
What is a data protection certificate/certification?
It is a document that is issued by a certification body or certification authority and demonstrates that the entity processing personal data complies with the requirements of the GDPR.
Is certification/certification mandatory?
No, it is only one way of demonstrating compliance with the GDPR.
Thus, an entity can demonstrate that it is complying with GDPR requirements by means of a certificate, but there are other ways. One of these is by signing and complying with a code of conduct for the area or ensuring documentation and access to the way personal data is processed so that compliance with the GDPR can be assessed as part of an inspection by a supervisory authority (the Data Protection Authority).
What is the certificate/certification for?
As we wrote above, the certificate serves as proof that you are processing data and personal data in accordance with the requirements of the GDPR. It can significantly affect and facilitate the purchase or sale of products and services, where the certificate will be used to demonstrate that the product or service complies with the regulation.
What is assessed when obtaining a certificate/certification?
The certification body evaluates the process of processing personal data within one or more processing supported by one or more information systems. It also evaluates products (HW and SW) and services.
Who can issue a certificate/certificate?
The data protection certificate/certificate can only be issued by only accredited certification bodies/certification authorities. Accreditation is likely to be carried out by the national accreditation body of the Czech Republic, Czech Institute for Accreditation, o. p. s., with which the Office for Personal Data Protection already cooperates closely.
What is the timeframe for the preparation of certification and accreditation criteria?
Currently, the Office for Personal Data Protection is working on the preparation of the criteria for the issuance of the certificate and accreditation of the entities issuing it. A few days ago, the official Draft Criteria for certification and accreditation criteria for the protection of personal data under Regulation (EU) 2016/697 of the European Parliament and of the Council was issued. It is currently out for public consultation. The Authority is accepting any comments until 20 January 2018.
The European Data Protection Board (WP29) is currently preparing two documents:
- Guidance on certification criteria .
- Guidance on accreditation criteria
These are expected to be approved in February 2018 and aligned with the OPA criteria.
Both criteria will be forwarded to the Czech Institute for Accreditation, o.p.s. after the final editing, i.e. after WP29 has issued its guidelines and the Office has taken them into account in its material.
For the time being, therefore, it is not possible to apply for accreditation and therefore not possible to apply for a certificate for a product, service or processing. When this is possible, the public will be informed by the Authority.