Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

SECTION ANNEX 1

Annex 1 provides guidance for the specification of “additional” accreditation requirements with respect to ISO/IEC 17065/2012 and in accordance with Articles 43(1)(b) and 43(3) GDPR. This Annex sets out suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a certification body by the National Accreditation Body or by the competent supervisory authority. These additional requirements are to be communicated to the European Data Protection Board before approval pursuant to Article 64(1)(c). This Annex should be read in conjunction with ISO/IEC 17065/2012. Section numbers used here correspond to those used in ISO/IEC 17065/2012. Where supervisory authorities perform accreditation pursuant to Article 43(1)(a), good practice would be to follow this approach where practical. This will support EU harmonised accreditation. Notwithstanding the following guidance or the absence of guidance on any item of ISO/IEC 17065/2012, the competent supervisory authority can formulate further additional requirements concerning these items if in accordance with the national law.