Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

Section 4.6  Accreditation requirements

44. The annex to these guidelines provides guidance on how to identify additional accreditation requirements. It identifies the relevant provisions in the GDPR and suggests requirements that supervisory authorities and national accreditation bodies should consider to ensure compliance with the GDPR.

45. As established above, where certification bodies are accredited by the national accreditation body pursuant to regulation (EC) 765/2008, ISO/IEC 17065/2012 will be the relevant accreditation standard complemented by the additional requirements established by the supervisory authority. Article 43(2) reflects generic provisions of ISO/IEC 17065/2012 in the light of fundamental rights protection under the GDPR. The framework in the annex uses Article 43(2) and ISO/IEC 17065/2012 as a basis for the identification of requirements plus further criteria relating to the assessment of the data protection expertise of certification bodies and their ability to respect the rights and freedoms of natural persons with respect to the processing of personal data as enshrined in the GDPR. The EDPB notes that it is especially focused on ensuring that certification bodies have an appropriate level of data protection expertise in accordance with Article 43(1).

46. The additional accreditation requirements established by the supervisory authority will apply to all certification bodies requesting accreditation. The accreditation body will evaluate whether that certification body is competent to carry out the certification activity in line with the additional requirements and the subject-matter of certification. There shall be references specific sectors or areas of certification for which the certification body is accredited.

47. The EDPB also notes that the special expertise in the field of data protection is also required in addition to ISO/IEC 17065/2012 requirements, if other, external bodies, such as laboratories or auditors, perform parts or components of certification activities on behalf of an accredited certification body. In these cases, accreditation of these external bodies under the GDPR itself is not possible. However, in order to ensure the suitability of these bodies for their activity on behalf of the accredited certification bodies, it is necessary for the accredited certification body to ensure that the data protection expertise required for the accredited body must also be in place and demonstrated with the external body with respect to the relevant activity performed.

48. The framework for identifying the additional accreditation requirements as presented in the annex to these guidelines does not constitute a procedural manual for the accreditation process performed by the national accreditation body or the supervisory authority. It provides guidance on structure and methodology and thus a toolbox to the supervisory authorities to identify the additional requirements for accreditation.