This paper aims to analyse a tool of the so-called “soft law”, that is the certification in the field of data protection.
Art. 42, paragraph 2 of EU Regulation 2016/679 defines certification as voluntary. However, it is, more appropriately, a regulated certification, since it is based on rules issued by official institutions: particularly, certification criteria are approved by the competent authority or by the Board.
The extensive certification laws and rules raises the issue of the relationship between the certifier’s liability for non-fulfilment or defective fulfilment and the data controller liability for data processing.
The certification contract has been defined as an agreement in which an independent third party undertakes to engage in quality certifications for a consideration. Such activity, which consists of multiple steps, includes a number of acts and behaviours aimed at testing a product, service, system or professional for compliance with the standards laid down by the relevant legislation. It is a kind of contract arises from practical experience.
Under the certification agreement, the certifier must fulfil a number of contractual obligation. In particular, two key obligations can be singled out: the first one is about the so-called preliminary stage (which is preliminary to the next one, of course) and consists in verifying the conformity and inspections; the second one consists in issuing a report about the conformity or not conformity, thus releasing (or not) the pertinent certification.
We should point out that the certifier does not have to issue a certification but must only pass an opinion about whether something complies with the standards or not. Therefore, the certifier’s key obligation is providing full, reliable information about a product or a system having specific features and cannot suggest any solutions in terms of design to turn a defective product into a conforming product.
The certifier has to meet other secondary obligations, especially: fairness, adequate technical expertise, transparency. Secondary obligations could also include secrecy and confidentiality, no subcontracts, and no consultancy.
As regards to the other party of the contract, i.e. the company, a part from the obligation to pay the agreed price, it also has to adhere to a number of “cooperative” operations to help with the assessment, from the obligation to disclose and communicate, to the obligation to give access to the company’s records, books and premises at any time.
Unfortunately, the meagre italian jurisprudence about the certifiers’ liability is divided on the contents of the obligation: in a ruling of the Tribunale of Monza it is defined as an obligation of means. Conversely, the Tribunale of Piacenza believes that “certification includes parts of both obligations, means and results. of means, such as arranging the inspections, and provides an
Notwithstanding the foregoing, a certifier’s non-fulfilment or defective fulfilment might consist in not issuing a certification that should have been issued instead or infringing any other applicable obligation (confidentiality, secrecy, etc.). However, the most common case is definitely a breach whereby the certifier issues a certification that should not have been issued.
Usually, a company that uses an untruthful certification is liable in many respects.
Firstly, the detrimental consequences of an untruthful certification on its competitors are clear. This case could be set in the context of unfair competition, since a company that boasts a certification it is not really entitled to have means usurping the strengths of its competitors, in the attempt to put off the customers.
Adverse consequences on consumers are also apparent: indeed, using an inaccurate certification can be tantamount to an unfair commercial practice, which, as such, can distort competition by confusing consumers.
Going into the details of data protection, pursuant to art. 24, paragraph 3 of the Regulation, adherence (with codes of conduct) or to a certification mechanisms may be used as an element by which to demonstrate compliance with the obligations of the controller, though, at art. 42, paragraph 4, such Regulation then points out that certifications “do not reduce the responsibility of the controller or the processor for compliance” with the Regulation. Such regulation makes no distinctions between a situation in which the certifier is perfectly diligent and a situation in which the certification authority might be charged with non-fulfilment or defective fulfilment: it is clear, though, that, while the former option could be called ‘a textbook case’, the latter is definitely easier to investigate.
Therefore, despite having got a certification, the data controller and the data processor are still bound to process personal data in accordance with the Regulation, since such parties cannot rely on their certificates to have their liability cancelled or reduced.