photo
08.12.2023

Companies will be able to obtain industry-specific certificates of compliance of the processing

The President of the Personal Data Protection Office has approved the Additional Requirements for Accreditation of Certification Bodies. On the basis of this document, certification bodies will be accredited, which will verify the compliance of personal data processing operations carried out by controllers and processors. The certification aims to increase transparency and improve compliance with personal data protection standards, taking into account the specifics of the industry. Certification bodies will award certificates to companies applying for certification in specific sectors. The certificate will be voluntary, and its purpose is to confirm the highest standards of compliance with personal data protection regulations.

"The approved document is an important step towards regulating certification mechanisms in the field of personal data protection. As part of the certification, the compliance of personal data processing operations with the certification criteria approved by the supervisory authority is assessed," said Jakub Groszkowski, Deputy President of the Personal Data Protection Office.

The additional requirements for the accreditation of certification bodies were signed after taking into account the positive opinion of the European Data Protection Board. The document is based on Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679).

In Poland, certification will be carried out by accredited certification bodies granted by the Polish Centre for Accreditation (PCA). Accreditation will be based on ISO/IEC 17065/2012 and Additional Requirements for Accreditation of Certification Bodies approved by the President of the Personal Data Protection Office.

"Certification mechanisms, including certification criteria, may be developed by entities wishing to obtain certification in accordance with industry-specific requirements. We must be aware that the application of universal principles of personal data protection is not always sufficient. Often, guidance is needed that takes into account the specifics of a given industry. Such detailed criteria checked by the certification bodies will help to protect personal data more effectively, and this is what we all care about," said Jakub Groszkowski, Deputy President of the Personal Data Protection Office.

Pursuant to Article 12(1) Act of 10 May 2018 on the Protection of Personal Data, accreditation of bodies applying for a certification license with regard to protection of personal data referred to in Article 43, shall be granted by the Polish Centre for Accreditation. However, the approval and publication of the Additional Accreditation Requirements for Certification Bodies does not mean that entities interested in granting certification can apply to the PCA for accreditation under the General Data Protection Regulation today. The first step must be for the market to set up certification mechanisms, including the certification criteria referred to in Article 42(5) of the GDPR, as accreditation will be carried out under a specific certification mechanism.

The certification criteria are subject to approval by the competent supervisory authority or the European Data Protection Board (where the criteria are approved by the EDPB, this may result in joint certification, the European Data Protection Seal).

"Certification is an extremely important element of personal data protection regulation. Entities that receive the certificate receive confirmation that the personal data processing operations carried out as part of their activities are compliant, from the operational side, with the requirements of the supervisory authority and certified within the specific specificity established by the accredited entity as part of the industry certificate. It is a kind of quality mark (seal) awarded for the personal data protection process. However, I must emphasise here that entities with a valid certificate will not be able to count on preferential treatment by the Personal Data Protection Office and in the event of notifying a personal data breach, standard inspection procedures will be applied to them," said Monika Krasińska, Director of the Case Law and Legislation Department.

More information about the certification can be found in the Certification tab on the UODO website: Certification - UODO

The first webinar from the "Certification in Data Protection" series will be held on Tuesday, 12 December this year at 10.00 a.m. via the UODO website - link to the broadcast:

https://uodo.clickmeeting.com/196628259/?r=AGZ2ZGZ3BQE8sSEvkMiRu3k8MI90MJWkoKu2DTuvpJVhqTWcYzA5sUj1AGRlAmZ5Zj____

Due to the limited number of seats, the order in which you join the event determines your participation.

The next meeting is planned for January 2024.