Privacy
Accreditation and data protection
Accreditation is a technical tool that is increasingly used in the regulated area of data management. The Data Protection Officer offers value to public companies and those that process “sensitive data.”
Accreditation is an indispensable technical support for many verification activities, particularly in cutting-edge sectors. Increasingly, legislators are referring to it as a control tool in the field of regulated data management.
A significant example is the accredited Data Protection Officer (DPO), who offers added value to companies that are legally required to have this figure, such as public companies or those that process sensitive data. This certification guarantees verified competence and compliance with the required standards, ensuring secure and efficient data management for organizations.
The GDPR Regulation
Digital data is the oil of the “fourth industrial revolution.” The General Data Protection Regulation (GDPR) strengthens the protection of personal data at the European level, guaranteeing a fundamental right.
Today, we live under the impetus of “digital humanism”, which has its roots in the great thinkers of the Renaissance and which, with a multidisciplinary approach to the new paradigms designed by networks and technologies, aims to ensure that the use of intelligent machines does not undermine human values and the fundamental rights of individuals.
These issues, and the ethical challenges posed by technology, have sparked a wide-ranging debate within the European Union, which has led to the definition of shared rules that are applied uniformly by Member States.
As a result of this work, EU Regulation 679/2016 on the protection of personal data (GDPR – General Data Protection Regulation) has emphasized the ethical dimension and the need to put people back at the center of the technological revolution we are experiencing, affirming and protecting the fundamental right to privacy more effectively.
The aim is to ensure, within the European framework of free movement, the protection of data of natural persons and the rules for processing by third parties.
GDPR – General Data Protection Regulation
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
The role of accreditation
The GDPR recognizes accredited certification as a tool for the protection of personal data. The accreditation body collaborates with the Italian Data Protection Authority (GPDP) for the benefit of businesses, Institutions, and citizens.
EU Regulation 679/2016 promotes accredited certification of personal data protection, seals, and marks in order to certify the compliance of processing carried out by data controllers and processors.
- Article 42: the GDPR establishes that the subjects authorized to issue certification are the competent supervisory Authority for the State (in Italy, the Italian Data Protection Authority – GPDP) or certification bodies.
- Article 43: certification bodies must be accredited by the competent supervisory Authority or by the national accreditation body – in Italy, Accredia – or by both.
Collaboration with the GPDP
Legislative Decree 101/2018 aligned Italian national legislation with the GDPR. Privacy certifications are issued by bodies accredited by Accredia, with the approval of the GPDP and the European Data Protection Board (EDPB).
Legislative Decree 101/2018 has brought national legislation into line with the GDPR. In Italy, the subjecys authorized to issue certification are certification bodies accredited by Accredia on certification schemes approved by the Italian Data Protection Authority (GPDP).
Accredia has been entrusted with the task of certifying the competence, impartiality, and adequacy of bodies on the basis of additional requirements set by the Data Protection Authority in accordance with the UNI CEI EN ISO/IEC 17065 standard for the certification of products and services.
The mechanism provides for the approval of the GPDP based on the opinion of the European Data Protection Board (EDPB), or, for European certification schemes (EU Seal), the positive assessment of the competent data protection Authority and the approval of the EDPB.
Accredia and Italian Data Protection Authority (GPDP) Agreement
The agreement signed on March 25, 2021 promotes the exchange of information between the accreditation body and the Italian Data Protection Authority on accreditation activities and certifications provided for by EU Regulation 679/2016, for the benefit of businesses, Institutions, and citizens.
Voluntary certifications
Privacy certifications, although not recognized by the Italian Data Protection Authority under the GDPR, are accepted by the market as a guarantee of voluntary compliance with European rules.
In the field of privacy, various types of certification are issued, developed by the market to meet the needs of public and private organizations and professionals to voluntarily align themselves with the requirements of the GDPR.
Certifications issued by accredited bodies are not yet recognized by the GPDP under the GDPR, but are accepted by the market as a guarantee and an act of diligence in the voluntary adoption of a system for analyzing and monitoring the principles and rules of the European Regulation.
Certification of products and services
Types of certification issued by bodies accredited according to ISO/IEC 17065.
ISDP 10003 – Personal data protection
Issued on the basis of the private ISDP©10003 scheme “Criteria and control rules for the certification of processes for the protection of individuals with regard to the processing of personal data – EU Reg. 679/2016” specifies the requirements for the fair, secure, and compliant management of the personal data of natural persons, with particular regard to personal data, and provides the principles and control elements for a complete assessment of the conformity of internal processes with regard to the protection of personal data, with specific reference to the proper management of risks.
SGCMF 10002 – Conformity of healthcare professionals’ archives
It is issued on the basis of the private SGCMF©10002 scheme, which concerns the processing of personal data of healthcare professionals working for pharmaceutical companies, in accordance with the combined provisions of the regulations in force regarding the protection of personal data and the regulations governing the advertising of medicinal products. Through certification, the pharmaceutical company can monitor internal strategic variables, streamline processes, and operate in accordance with the law.
UNI/PdR 43 – Management of personal data in the ICT
The accredited certification is issued in accordance with the UNI 43:2018 Reference Practice “Guidelines for the management of personal data in ICT in accordance with EU Regulation 679/2016 (GDPR)”, designed for all organizations that process data using electronic tools, in particular small and medium-sized enterprises. Through certification, the organization aims to demonstrate that its management of personal data in the ICT field is in line with the requirements of the GDPR in terms of the security and correctness of the management of the personal data processing by data controllers and processors.
Management system certification
Types of certification issued by bodies accredited according to ISO/IEC 17021-1.
ISO/IEC 27018 – Cloud services for personal data management
Accredited certification is issued in accordance with the international guidelines ISO/IEC 27018 “Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” integrated with the ISO/IEC 27017 standard “Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.” . The aim is to certify the ability of cloud service providers to guarantee the security and protection of data, including personal data subject to privacy regulations.
ISO 27701 – Privacy information management systems
Accredited certification is issued in accordance with ISO 27701 “Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines,” which provides the requirements for integrating ISO/IEC 27001 by extending its scope of application to the perimeter of privacy management. It is a useful tool for organizations that want to demonstrate to customers and stakeholders that they use effective systems to support compliance with the GDPR and other related privacy regulations and reduce the risks associated with breaches of persons’ and organization privacy.
Certification of persons
Types of certification issued by bodies accredited according to ISO/IEC 17024.
UNI CEI EN 17740 and UNI/TS 11945:2024 – Data processing and protection professionals
Accredited certification is issued in accordance with UNI CEI EN 17740:2024 “Requirements for professional profiles related to the processing and protection of personal data” and UNI/TS 11945:2024 “Assessment of compliance with the requirements defined by UNI EN 17740 ”Requirements for professional profiles related to the processing and protection of personal data”. The certifiable professional profiles are: Data Protection Officer, Data Protection Manager, Data Protection Specialist, Data Protection Engineer, Data Protection Auditor.
Privacy FAQ – Accreditation and certification under the GDPR – 2021
The “General” FAQs on accreditation and certification under the GDPR are the result of collaboration between the Italian Data Protection Authority and Accredia, explaining the main aspects of accreditation and voluntary certification in the field of personal data processing. From legislative references to accreditation and certification schemes, this handy booklet is aimed at public and private organizations addressing GDPR compliance through accredited certification.
Read the FAQs