Study regarding the GDPR certification mechanisms 

The European Commission has published a study regarding the certification mechanisms and the seals for the controllers and processors specified under art. 42 and 43 of the Regulation.

The European Commission recently published a study regarding the certification mechanisms or the seals of the controllers or processors specified in art. 42 and 43 from the regulation no. 2016/679 regarding the data protection (“Regulation”). The herein mechanisms are meant to enable the controllers and processors to demonstrate that the processing activities respect the Regulation’s provisions.

The main point mentioned in the study are the following:

• Art. 42 and 43 do not limit the certification in regards with one subject matter, these certifying mechanisms being used also for demonstrating conformity with the all the Regulation’s provisions.
• Although the mentioned mechanisms are new, there are good practices that can be taken from other mechanisms that exist from a longer period in time (e.g. audit mechanisms).
• The supervisory authorities will have to also use the knowledge from other fields in order to establish and analyse the certifying criterion in regards with the data protection.
• The certifying stages are identified in the Regulation and may be complemented by the stages mentioned in the ISO/IEC 18065 standard.
• In practice, there will be numerous problems raised in case at the European level the provisions regarding the certifying mechanisms will not be harmonised (e.g. certifications will not be recognised in all the EU countries). Thus, the European and international standards are preferred to the national standards.

First sanction imposed under the General Data Protection Regulation in Poland

The Polish DPA imposed a fine of PLN 943 000 (around €220 000) to a company in Poland for breaching the obligation to inform the data subjects in accordance with Article 14 of the GDPR (information to be provided where personal data have not been obtained from the data subject).

The case concerned the collection of data by a company from publicly available registers, for the purpose of its own business activity.

With respect to the obligation to inform the data subjects, the company fulfilled this obligation only in relation to the persons who provided also their e-mails. In the case of persons where the company did not held an e-mail address (but only phone or postal address), due to operational costs, the information was only made available on the company’s website. The company claimed high operational costs and argued that the provision of such information proves impossible or would involve a disproportionate effort, thus falling under the exceptions provided by Article 14 para. 5 of the GDPR.

The DPA considered that the action of the company was insufficient and did not satisfy the requirements under Article 14. In the opinion of the DPA, it appears that the company should have fulfilled the obligation to inform the data subjects by post or phone, since it had such contact details and that the exception provided by article 14 para. 5 of the GDPR was not applicable in this case.