27 Sep Europrivacy: ICT Legal Consulting assists Aindo, first certified company in Italy

Authors: Eleonora Margherita Auletta, Antonio Landi, Andrea Strippoli, Miriam Andrea Fadda

Since the General Data Protection Regulation (EU) 2016/679 (“GDPR”) came into force, compliance with data protection regulations has become a central requirement for companies operating within the European Union. This is especially due to the legal and financial risks that cannot be ignored by data controllers and data processors.

Article 42 of the GDPR establishes certification mechanisms, seals, and marks for personal data protection, through which data controllers and data processors can benefit from the attestation of an independent third party to demonstrate the compliance of their processing operations for accountability purposes.

Overview of the Europrivacy™® Certification

Europrivacy™® has been developed on the basis of ISO/IEC 17065 and Article 42 of the GDPR and it is managed by the European Centre for Certification and Privacy (ECCP). Europrivacy™® is a pan-European certification scheme designed to assess, document, certify, and evaluate – based on its criteria – compliance with the GDPR and complementary data protection regulations by data controllers and data processors in relation to specific data processing activities.

This set of criteria has been approved by the European Data Protection Board (“EDPB”) to serve as a European seal (under Article 42(5) of the GDPR). It is also recognized by 30 countries: all EU and European Economic Area (EEA) Member States.

Specifically, the Europrivacy™® Certification Scheme allows data controllers and data processors to:

• Verify and document their compliance with the GDPR and complementary data protection regulations.
• Reduce legal, financial, and reputational risks.
• Certify, validate, and benefit from compliance with European and national regulations (based on the controls outlined in the NOCAR – National Obligations Conformity Assessment Report) on personal data protection.

Europrivacy™® certifications are issued by qualified Certification Bodies with adequate legal and technical expertise, using a combination of methodologies (e.g., document review, sample analysis, technical testing, and interviews).

The Certification Process

From a procedural point of view, obtaining and maintaining certification involves a series of steps that can be summarized as follows:

1. 1. Identification of the Target of Evaluation (ToE), i.e., the data processing activity to be certified.
   2. Preparation and documentation of the compliance with Europrivacy™® criteria through the completion of dedicated Checklists aimed at evaluating:
      • Compliance with the GDPR core criteria.
      • Compliance with domain-specific and technology-specific obligations that may apply to the Target of Evaluation (ToE).
      • Adequacy of measures in place to secure the processed data.
      • Compliance with any complementary national obligations.
   3. Certification of the compliance of the data processing by a Certification Body authorized by the ECCP and duly accredited by the competent national authority.
   4. Once certification is obtained, maintenance of the compliance requirements through annual surveillance audits.

Aindo: Leading in Obtaining the Europrivacy™® Certification in the Healthcare Sector

In July 2024, Aindo became the first company in Italy to obtain the Europrivacy™® certification for processing activities related to data synthesis in the healthcare sector through the Aindo Synthetic Data Platform.

The certification has demonstrated the compliance of the synthetic data generation process under the GDPR and complementary national data protection regulations. In the healthcare landscape, this achievement demonstrates Aindo’s commitment to innovation in medical and pharmaceutical research, leading to new diagnostic and pharmacological knowledge for the treatment of specific diseases or the identification of risk factors by leveraging the potential of Artificial Intelligence.

Stakeholders in the Certification Process and ICT Legal Consulting’s Role as Implementer

The certification process involved various stakeholders at different stages, including:

• • Aindo as the Applicant, i.e., the legal entity seeking certification for its data processing activities to demonstrate their compliance with the GDPR. To begin this process, the Applicant must initially meet the following requirements:
    1. Comply with the GDPR and applicable national regulations based on its location.
    2. Have a DPO and a Record of Processing Activities.
    3. Prepare and document compliance with Europrivacy™® criteria.

In the certification process, the Applicant itself (and not the Certification Body) is responsible for meeting the certification requirements. Legal compliance remains the sole and exclusive responsibility of the Applicant which must ensure that the certified processing fully complies with the requirements of the Certification Scheme and, more generally, with all applicable data protection regulations.

• • The Accreditation Body, specifically Accredia, which operates under an agreement with the Italian Data Protection Authority and is responsible for verifying the impartiality, competence, and adequacy of the Certification Body.
  • The Certification Body accredited under Article 43 of the GDPR, namely DNV, which – as the Auditor – delivered the certificate and will be responsible for renewing it based on verification results and ensuring the correct management of the same.

In the preparation phase and during the certification process, Aindo was supported by ICT Legal Consulting as a Europrivacy™® Implementer. This technical support role is reserved exclusively for qualified experts who have successfully passed a dedicated exam. It focuses on identifying any potential gaps and residual non-compliance issues based on Europrivacy™® criteria that the Applicant must address to obtain the certification.

From a professional perspective, the Implementer role can be fulfilled by law firms, consulting firms, or even DPOs who support the Applicant during the preparatory phase and throughout the certification process, ensuring continuous compliance with data protection regulations. Such consulting firms must, in turn, ensure and demonstrate that their professionals have adequate knowledge and understanding of the Europrivacy™® Certification Scheme rules and requirements. The main goal of consulting firms is to reduce legal and financial risks to the Applicant.

Obtaining Europrivacy™® Certification: A Symbol of Market Trustworthiness

Finally, it is important to emphasize that obtaining the Europrivacy™® Certification allows the Applicant to demonstrate the compliance level of its processing activities with the GDPR and local regulations, thus strengthening its reputation and trust among stakeholders. Once obtained and issued, the certificate is registered and published in the Official Certificate Register and can be used for communication purposes.

Europrivacy™®, under the supervision of an International Board of Experts, ensures continuous updates to align with the evolving regulations and case law in data protection.