nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

2. Data Protection Certification in the EU: Possibilities, Actors and Building Blocks in a Reformed Landscape

verfasst von : Irene Kamara, Paul De Hert

Erschienen in: Privacy and Data Protection Seals

Verlag: T.M.C. Asser Press

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Certification and seals as a form of co-regulation have been on the EU agenda for over a decade. Enhancing consumer trust and promoting transparency and compliance are central arguments in the policy endorsement for certification. In the field of data protection, the General Data Protection Regulation has substantiated considerably these policy objectives of the European Commission. Our contribution discusses the new legal EU regime for data protection certification. Starting from the background of data protection certification and the preparatory works of the General Data Protection Regulation, the chapter analyses the legal provisions in the new EU data protection framework and reflects on the steps after the Regulation starts to apply.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Introduction: Privacy and Data Protection Seals

Nächstes Kapitel The Schleswig-Holstein Data Protection Seal

Certification, seals and marks are interrelated. Certification is related to the certification process which includes assessment against pre-defined requirements. The successful process leads to the issue of a certificate. Both seals and marks are visualisations of statements of conformity of a product, process or service with the pre-defined requirements. A mark (of conformity) is the indication that an object is in conformity with specified requirements based on a successful certification procedure. The seal is a visual representation of the successful process, usually including a unique number for each entity that is entitled to use the seal, and in contrast to the mark, can be legally binding per se.

Greenleaf for instance argues that “there is very little evidence, from what we have seen in the last forty years, that any non-legal constraints will prove effective against business and government self-interest in expanded surveillance: this applies to voluntary self-regulation (through codes of conduct, standard-setting, privacy seals, or spontaneous adoption of privacy-enhancing technologies (PETs) or privacy-by design), the force of competition, or the adoption by consumers of PETs and counter-surveillance technologies.” Greenleaf 2012.

For instance, in November 2014, the Federal Trade Commission (FTC) settled with the online privacy seal provider TRUSTe on a complaint about TRUSTe failing to conduct promised annual re-certifications of companies participating in its privacy seal program more than 1,000 times between 2006 and 2013. The complaint also alleged that TRUSTe misrepresented its status as a non-profit entity. See Federal Trade Commission 2015.

European Parliament and Council, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) OJ L 281, 23.11.1995.

European Parliament and the Council, Directive 2002/58/EC.

EuroPriSe criteria, November 2011, https://www.european-privacy-seal.eu/EPS-en/Criteria. Accessed 10 January 2017.

For instance EuroPriSe awarded eleven seals in 2015, six of which were re-certification. https://www.european-privacy-seal.eu/EPS-en/Awarded-seals. Accessed 10 January 2017.

De Hert et al. 2014, p. 11f.

European Commission 2010.

European Commission 2013, Cybersecurity strategy.

Hustinx 2008, p. 561.

EC DG Justice 2010, p. 53f.

EC Proposal (2012) Proposal for a Regulation.

European Parliament (2014) First Reading.

European Council (2015) First Reading.

The problematic areas were the following: 1. The impact of new technologies 2. The enhancement of the internal market dimension of data protection 3. Addressing the globalisation and improvement of international data transfers 4. The effective enforcement of data protection rules and 5. The coherence of data protection legal framework. See COM (2010) 609 final.

European Commission 2012, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM (2012) 11 final—2012/0011 (COD), 25.01.2012.

European Parliament 2014 (http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0212). Accessed 10 June 2016.

Even though such consultation in practice would probably offer a wide range of opposing opinions, challenging to reconcile, if a “positive approval” or “endorsement” would be required.

Korff 2014.

Douwe Korff argues that: “(..) the Council would allow Member States to either opt for relatively strong seals issued by DPAs (such as the French Labels), or for an almost completely out-sourced certification scheme under which seals would be issued by an accredited certification body separate from the DPA (and not subject to directions from the DPA, other than in terms of general guidance). The out-sourced seals would have no formal legal effect—but would also by-pass all European cooperation and consistency mechanisms. Yet they would still in practice largely exempt the companies that were awarded such seals from enforcement action by the DPA in question (as long as they complied with the conditions etc. set out in the seals).” in Korff 2014, para 3.

EDRi and Privacy International on a common statement published in June 2015 under the title “Privacy and Data Protection under threat from EU Council agreement” said that the Council version opens the gates to a “massive Trojan Horse” in particularly with regard to the articles that refer to certification mechanisms and data transfers, Järvinen 2015.

In the final text of the GDPR the numbering of the certification articles changed from 39 and 39a (in the European Commission Proposal, the first reading of the Parliament and the Council) to 42 and 43.

The agreement was on the General Data Protection Regulation and the Data protection directive in law enforcement intended to replace the Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

European Parliament and Council of the European Union 2016.

Before going into detailed analysis of the provisions, note that what is envisaged in the Regulation are two different certifications: the national certification based on the GDPR and the ‘common certification’, the European Data Protection Seal. Most of the provisions are dedicated to the national certification mechanism, which is therefore the focus of this contribution. The provision for the European Data Protection Seal is briefly discussed.

A certification body is a “third-party conformity assessment body, which operates certification schemes” ISO/IEC 17065:2012, Conformity assessment—Requirements for bodies certifying products, processes and services.

Article 42 GDPR.

See Article 58 GDPR, investigative, corrective, and authorisation powers of the supervisory authorities in relation to data protection certification mechanisms.

ENISA 2017.

See Sect. 2.10 for a discussion on the criteria.

Although the certification field is not harmonised at EU level, the certification phases of the EN-ISO/IEC 17065 standard are most commonly followed in practice.

This is a rather important novelty of the GDPR because the regulator endorses a technical standard that was developed at international level. Article 43(1)(b) also makes an explicit reference to the ISO/IEC standard. It should be noted that the reference to the standard is static, meaning that the GDPR refers only to the specific version of the ISO/IEC: 17065 of 2012, and not to any future updates. This can be considered as a safer choice for the GDPR, as the regulator refers to the specific known content of the standard, even though the static reference of standards in the legislation always entails the risk to render the reference obsolete, once the standard is revised or updated.

Among their authorisation and advisory powers, the supervisory authorities have the power to issue certifications (Article 58(3)(f)).

Among their corrective powers, the supervisory authorities have the power to withdraw a certification or order to the certification body to withdraw or not to issue a certification (Article 58(2)(h)).

The issue of both accredited certification bodies and the supervisory authorities having the power to grant certificates is also highlighted by the Bavarian Data Protection Authority for the Private Sector (2016).

See Rodrigues et al. 2016, p. 19.

Conformity assessment body is a “body that performs conformity assessment activities including calibration, testing, certification and inspection”, Regulation 765/2008 of the Article 2(13).

Regulation (EC) 765/2008 Recital 9.

Regulation (EC) 765/2008.

Regulation 765/2008 Article 5(1).

The terms supervisory authorities and Data Protection Authorities are used interchangeably in this chapter.

A survey conducted by the EU-funded PHAEDRA project found that most data protection authorities in the EU Member States have fewer than 60 staff. Wright et al. 2015, p. 20.

ISO/IEC 17065:2012, Conformity assessment—Requirements for bodies certifying products, processes and services.

The ISO/IEC 17065:2012 includes similar provisions with the Article 43(2) GDPR. For instance, there are process requirements (section 7, pp.), complaints handling (section 7.13, p. 19), requirements related to impartiality of the certification body (management of impartiality in section 4.2 and mechanism for safeguarding impartiality in section 5.2), requirement for publicly available information including information on procedures for handling complaints and appeals (section 4.6), even though such information is ‘available upon request’ in contrast with the GDPR (Article 43(2)(d)).

The accreditation by the supervisory authority is valid for a period of five years. Any revocation of accreditation by the National Accreditation Body is mandatory when the conditions for granting are not met (Article 43(4) GDPR).

Article 57(1)(p) and Article 58(1)(c) GDPR.

Article 58(2)(h) GDPR.

Despite the existence of such obligation “where applicable”, such an interpretation is in line with the aim of the legislator, who involves the supervisory authority in the procedure as an additional guarantee of the transparency and reliability of the data protection certification mechanism and certificate.

Privacy Bridges, EU and US Privacy Experts in search of transatlantic Privacy Solutions, September 2015, p. 16. https://privacybridges.mit.edu/sites/default/files/documents/PrivacyBridges-FINAL.pdf. Accessed 15 January 2017.

Bennett argues that “Ironically, the more privacy seal programs there are, the more consumers will be confused, and the more difficult it will be for any one system to achieve a reputation as the methodology by which privacy protection practices can be claimed and assured”. Bennett 2004, pp. 210–226.

Regulation 182/2011 28.2.2011.

Giurgiu et al. 2015, p. 17.

Article 68(1) GDPR.

Article 70(1) GDPR.

Article 70(1)(o) GDPR.

Article 43(6) GDPR.

In a survey conducted on security certification in the EU, 60.7% of the respondents replied that their most important need is that certification schemes are transparent in what they evaluate and certify. Read further on the identity of the survey and analysis, Kamara et al. 2015, p. 3.

Rodrigues et al. 2014, p. 79.

The criteria are fundamental for a trusted, high-quality certification scheme. The schemes might involve procedural (for instance the object of the criterion might be on whether the organisation/ product all relevant measures and policies relevant to a criterion) or results-based assessment criteria (for instance for a criterion data-security, the aim of the criterion is on the result, namely secure data, not focusing on how appropriate were the measures taken, as long as the result is achieved). Bock 2016, p. 337.

The Article 29 Data Protection Working Party in its opinion 8/2012 providing input on the data protection reform discussions stated: “Since the certification mechanisms are to be encouraged in particular at European level, specifying further the criteria and requirements should be done on a European level as well. Since it would be hard to spell out all criteria and requirements in full in the text of the Regulation, it would be appropriate to adopt a more flexible instrument to provide further criteria and guidance for the data protection certification mechanisms, including conditions for granting and withdrawal and for requirements for recognition within the Union and in third countries. In order to ensure legal certainty towards the data subjects who rely on the certification mechanisms, seals and marks, a delegated act would indeed seem the most appropriate instrument.”, Article 29 Data Protection Working Party 2012, p. 36.

Albrecht 2016, p. 39.

Lachaud 2015, p. 6.

See also Recital (166) on delegated acts.

The GDPR does not provide a definition of ‘criteria’ nor ‘requirements’ in the data protection certification mechanism context. However, the GDPR differentiates the two terms in several articles, e.g. 43(2)(6).

Recital 166 refers to delegated acts for both criteria and requirements. This wording remained the same in the relevant Recital across all versions of the GDPR and did not follow the abolition of the word ‘criteria’ in the relevant provision of Article 43 (previous Article 39a) which was made in the political agreement text of December 2015.

Article 92(5) GDPR. In addition, Article 92(3) provides: “The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council.”

Read Lachaud 2016, p. 149f on the shortcomings of using the CE marking in enforcing data protection and privacy in the Internet of Things.

Mandatory third party certification is more commonly found at a national level, as it may be supported by national legislation. Read further: Consumer Research Associates Ltd. 2007.

Article 83(2)(j) GDPR: “adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42”.

See Data Protection Authority of Bavaria for the Private Sector, ‘EU-Datenschutz-Grundverordnung: Zertifizierung’, June 2016, https://www.lda.bayern.de/media/baylda_ds-gvo_2_certification.pdf. Accessed 27 July 2016.

On the issue of the object of certification, see ENISA 2017.

Article 29 Data Protection Working Party 2010, p. 17f, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf. Accessed 4 July 2016.

Bavarian Data Protection Authority for the Private Sector 2016.

For instance, the Common Criteria standard ISO/IEC 15408 and certification. Read further: Rannenberg 2000, European Union Agency for Network and Information 2013. Also, ISO/IEC 27011:2013 Information technology—Security techniques—Information security management systems—Requirements, ISO/IEC 27002:2013 Information technology—Security techniques—Code of practice for information security controls, and ISO/IEC 27018:2014 Information technology—Security techniques—Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. De Hert et al. 2015.

Article 32(1)(a)–(d) GDPR.

Recital 74 GDPR.

Recital 77 provides: “Adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.”

Article 82 GDPR.

Danezis et al. 2014, p. 5.

M/530 Commission Implementing Decision 2015.

Kamara 2017.

The M/530 explicitly refers to the EC proposal for a General Data Protection Regulation and a “data protection by default and by design” approach (Recital 3).

Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650.

Read, among others, Kuner 2015.

On 2 February 2016, the Commission and US competent authorities reached an agreement on a new framework enabling transatlantic data flows, the EU-US Privacy Shield. Statement from the EC of 2 February 2016, http://europa.eu/rapid/press-release_IP-16-216_en.htm. Accessed 18 January 2017.

Article 42(2) GDPR.

Article 45 GDPR.

Article 46(2)(b) GDPR.

Article 46(2)(c)(d) GDPR.

Article 46(2)(e) GDPR.

Previously Article 39 of the European Commission Proposal, European Parliament and Council first reading.

Kosta and Stuurman 2016, p. 458.

Data Protection Authority of Bavaria for the Private Sector 2016.

Ibid.

Abramatic J-F et al (2015) Privacy Bridges, EU and US Privacy Experts in Search of Transatlantic Privacy Solutions. Available at: https://privacybridges.mit.edu/

Albrecht J P (2016) The EU’s New Data Protection Law – How A Directive Evolved Into A Regulation; Overview of the designated final text of the EU’s General Data Protection Regulation, and consideration of the background to it, after the Agreement in the Trilogue. Computer Law Review International, Issue 2 April 2016

Article 29 Data Protection Working Party (2016) Statement on the 2016 action plan for the implementation of the General Data Protection Regulation (GDPR) WP236. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp236_en.pdf. Accessed 3 February 2016

Article 29 Data Protection Working Party (2012) Opinion 08/2012 providing further input on the data protection reform discussions. WP199, October 5, 2012

Article 29 Data Protection Working Party (2010) Opinion 03/2010 on the principle of Accountability, WP173, July 2010

Bennett C J (2004) Privacy Self-Regulation in a Global Economy: A Race to the Top, the Bottom or Somewhere Else? Voluntary Codes: Private Governance, the Public Interest and Innovation. Carleton University, Ottawa, 210–226

Bock K (2016) Data Protection Certification: Decorative or Effective Instrument? Audit and Seals as a Way to Enforce Privacy. In: Wright D, De Hert P (eds) Enforcing Privacy Regulatory, Legal and Technological Approaches. Springer, Heidelberg

Consumer Research Associates Ltd (2007) EFTA Study on Certification and Marks in Europe. Study commissioned by the European Free Trade Association (EFTA), December 2007. http://www.efta.int/sites/default/files/publications/study-certification-marks/executive-summary.pdf. Accessed 29 February 2016

Danezis G et al (2014) Privacy and Data Protection by Design– from policy to engineering. ENISA. https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design. Accessed 29 February 2016

Data Protection Authority of Bavaria for the Private Sector (2016) EU-Datenschutz Grundverordnung: Zertifizierung, June 2016

De Hert P et al (2014) Challenges and Possible Scope of an EU Privacy Seal Scheme. D.3.3 Final Report for Privacy Seals Study, January 2014

De Hert P et al (2015) The cloud computing standard ISO/IEC 27018 through the lens of the EU legislation on data protection. Computer Law and Security Review (32):16–30

EC DG Justice (2010) Comparative Study on Different Approaches to new Privacy Challenges, in particular in the light of technological Developments. Final Report, 20 January 2010. http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_en.pdf. Accessed 28 February 2016

ENISA (2017) Recommendations on European Data Protection Certification, version 1.0, November 2017. https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification. Accessed 18 December 2017

European Commission (2010) Communication from the Commission of 19 May 2010 to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – A Digital Agenda for Europe [COM(2010) 245 final – Not published in the Official Journal]. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=URISERV%3Asi0016. Accessed 10 December 2015

European Commission (2012) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM (2012) 11 final – 2012/0011 (COD), 25.01.2012

European Commission, High Representative of the European Union for Foreign Affairs and Security Policy (2013) Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace. JOIN(2013) 1 final

European Commission (2015) M/530 Commission Implementing Decision C (2015) 102 final of 20.1.2015 on a standardisation request to the European standardisation organisations as regards European standards and European standardisation deliverables for privacy and personal data protection management pursuant to Article 10(1) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council in support of Directive 95/46/EC of the European Parliament and of the Council and in support of Union’s security industrial policy. ftp://ftp.cencenelec.eu/CENELEC/EuropeanMandates/M530_EN.pdf. Accessed 28 February 2016

European Council (2015) Preparation of a general approach. 9565/15, 11.6.2015, adopted at JHA Council Meeting on 15.6.2015

European Parliament and Council (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive). OJ L 281, 23.11.1995

European Parliament and Council (2008) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93. OJ L 218/30, 13.8.2008

European Parliament and the Council (2002) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). OJ L 201, 31.7.2002

European Parliament and the Council (2009) Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. OJ L 337/11, 18.12.2009

European Parliament and Council of the European Union (2013) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers. OJ L 55/13, 28.2.2011

European Parliament (2014) Legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD))

European Parliament and Council of the European Union, Regulation (2016) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), L 119/1 4.5.2016

European Union Agency for Network and Information Security (ENISA) (2013) Security framework Guidelines for trust services providers – Part 1.Version 1.0. https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/guidelines-tsp. Accessed 28 February 2016

Federal Trade Commission (2015) FTC Approves Final Order In TRUSTe Privacy Case. https://www.ftc.gov/news-events/press-releases/2015/03/ftc-approves-final-order-truste-privacy-case. Accessed 28 February 2016

Giurgiu A et al (2015) EU’s One-Stop-Shop Mechanism: Thinking Transnational. Privacy Laws & Business: International Reports (137): 16–18

Graham G (2012) Global data privacy in a networked world. In: Brown I (ed) Research Handbook on Governance of the Internet. Edward Elgar, Cheltenham

Hustinx P (2008) The Role of Data Protection Authorities. Cahiers du Centre de Recherches Informatique et Droit (CRID) nr 31, Défis du droit à la protection de la vie privée / Challenges of privacy and data protection law. Namur-Bruxelles (2008): 561–568

Järvinen H (2015) Press Release: Privacy and Data Protection under threat from EU Council agreement. https://edri.org/. Accessed 28 February 2016

Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner

Kamara I (2017) Co-regulation in EU personal data protection: The case of technical standards and the privacy by design standardisation ‘mandate’. European Journal of Law and Technology, Vol 8, No 1

Kamara I et al (2015) Raising trust in security products and systems through standardisation and certification: The CRISP approach. ITU Kaleidoscope: Trust in the Information Society (K-2015), IEEE Xplore (2015):1–7

Korff D (2014) Warning: the EU Council is Trying to Undermine Privacy Seals (and through this, the General Data Protection Regulation). EU Law Analysis Blog, 3 October 2014. http://eulawanalysis.blogspot.nl/2014/10/warning-eu-council-is-trying-to.html. Accessed 28 February 2016

Kosta E, Stuurman K (2016) Technical standards and the draft General Data Protection Regulation. In: Delimatsis P (ed) The law, economics and politics of international standardization. Cambridge University Press, 434–460

Kuner C (2015) The Sinking of the Safe Harbor. Verfassungsblog of Constitutional Matters. http://verfassungsblog.de/the-sinking-of-the-safe-harbor/. Accessed 28 February 2016

Lachaud E (2016) Could the CE Marking Be Relevant to Enforce Privacy by Design in the Internet of Things? In: Gutwirth S et al (eds) Current developments in ICT and Privacy/Data Protection. Springer, Heidelberg

Lachaud E (2015) Is Article 39 of the GDPR Suitable? SSRN: http://ssrn.com/abstract=2620214. Accessed 18 November 2015

Rannenberg K (2000) IT Security Certification and Criteria. In: Sihan Q (ed.) Information Security for Global Information Infrastructures. Kluwer Academic Publishers, Alphen aan den Rijn, 1–10

Rodrigues R et al (2014) Proposals and evaluation of policy options. Final Report Study Deliverable 4.4. EU Privacy Seals Project. http://publications.jrc.ec.europa.eu/repository/bitstream/JRC91532/lbna26834enn.pdf. Accessed 28 February 2017

Rodrigues R, Barnard-Wills D, De Hert P, Papakonstantinou V (2016) The future of privacy certification in Europe: An exploration of options under article 42 of the GDPR. International Review of Law, Computers & Technology

Wright D et al (2015) Findings and Recommendations. Deliverable 4 for the PHAEDRA project. http://www.phaedra-project.eu/wp-content/uploads/Findings-and-recommendations-18-Jan-2015.pdf. Accessed 10 February 2017

Titel: Data Protection Certification in the EU: Possibilities, Actors and Building Blocks in a Reformed Landscape
verfasst von: Irene Kamara
Paul De Hert
Verlag: T.M.C. Asser Press
Buch: Privacy and Data Protection Seals
Print ISBN: 978-94-6265-227-9

Electronic ISBN: 978-94-6265-228-6

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-94-6265-228-6_2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"