GDPR Certification Scheme ‘’Europrivacy’’
Jurcom GRC Services, Privacy & Compliance Counsel
Primarily, with the spread of information sharing in the global sense with the technological developments, the rate of personal data sharing has increased and it has become an asset worth protecting as a part of the material and spiritual existence of individuals. In this sense, data that are considered worthy of protection all over the world, each country has started to create its own prevention method. However, due to the increasing dangers in the virtual environment and the security gaps in the physical environment, the legal dimension of protecting the data value has emerged and it is aimed to protect the data with legal regulations.
After the process that started with the issuance of the Data Protection Directive in the European Union for the first time in 1995, it has reached a global dimension with the European General Data Protection Regulation, which entered into force in the European Union in 2016. In 2012, it was recommended by the European Commission to make the data protection rules applied to the member states of the European Union more comprehensive and on May 24, 2016, the European Union General Data Protection Regulation (GDPR) entered into force. In our country, on April 7, 2016, the Law on the Protection of Personal Data with Law No. 6698 was published in the official gazette and entered into force.
After then along with all these developments, with the increasing awareness of personal data in the global sense, it was desired to create an integrated order into commercial life and the certification program was started. However, as of 2020, the UK, whose decision to leave the European Union was approved, announced that it wanted to establish its own Data Protection Authority and presented a new bill called the Data Protection and Digital Information Bill to Parliament in July 2022. As of March 2023, the UK Data Protection Authority (ICO) announced that they have started reform studies by getting rid of the laws based on the European Data Protection Authority, which is based on pre-Brexit. According to this; While the UK regime did not radically change the basic elements of the Data Protection Laws, it was important to clarify the purpose of 'legitimate interests', stating that a current list of work would be created in this area and the current recommendations for the list included national security, crime prevention, protection, and democratic participation. It was also brought on the agenda to remove the obligation to appoint data protection officers or DPO and it was decided that a new representative, as a Senior Responsible Individual (SRI) instead of the DPO, would be the person to be appointed from the senior management of an organization, who does not need to act independently from the decision-making process of the organization. This institution is a kind of Data Protection Officer in our country. (VKG)
With the creation of different draft laws by the Data Protection Authorities on the basis of countries, a global commercial certification program was needed and Europrivacy, a program that proves that they fulfill their data protection obligation and that performs data processing activities, was created. Europrivacy is a universal data protection program that takes into account both national data protection requirements and GDPR covering European Union countries. The Europrivacy certification program and criteria are approved by the EDPB and are maintained and updated by the European Center for Certification and Privacy (ECCP) and an international board of experts.
The qualifications required to obtain this certificate are as follows;
- Apply for the plan and demonstrate commitment to privacy and data protection,
- To prove that data protection activities comply with the data protection regulation,
- Gather all necessary documents and materials related to the Evaluation Objective to prove that it actually meets the Europrivacy criteria, which translates GDPR rules into measurable requirements,
- Defining the scope of certification and establishing a certification plan for the certification process by agreeing with a certification body.
All processing activities must meet the Europrivacy basic GDPR criteria (Transfers, relations with third parties, compliance with the principles regarding the processing of personal data, etc.).
In the evaluation phase; After evaluating the work done during the preparation phase, the auditor examines the compatibility with the controls. If the auditor identifies nonconformities, organizations will have the opportunity to modify the documentation to address these nonconformities before the application is passed to the certification body. Once the decision is made, the certificate of conformity is transmitted and published online in the official register of Europrivacy certificates.
Europrivacy certificates are valid for 3 years and are monitored by annual surveillance audits.
The benefits of certification are;
1) Improved compliance and risk mitigation,
2) Transparency and trust,
3) Facilitating data transfer with the reliability of cross-border data transfer in data transfer to third parties.
Consequently, obtaining certification can provide a competitive advantage in the European market, where companies may want to evaluate whether their respective partners have a GDPR certificate for their processing operations, for example as part of meeting GDPR due diligence and requirements when selecting processors.
Tagged with: Data Protection, Privacy, European General Data Protection Regulation, GDPR, Law on the Protection of Personal Data, 6698, Europrivacy, DPOs
Successful