Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

SECTION 1  SCOPE

The scope of ISO/IEC 17065/2012 shall be applied in accordance with the GDPR. The guidelines on accreditation and certification provide further information. The scope of a certification mechanism (for example, certification of cloud service processing operations) should be taken into account in the assessment by the NAB and the competent supervisory authority during the accreditation process, particularly with respect to criteria, expertise and evaluation methodology. The broad scope of ISO/IEC 17065/2012 covering products, processes and services should not lower or override the requirements of the GDPR, e.g. a governance mechanism cannot be the only element of a certification mechanism, as the certification must include processing of personal data, i.e. the processing operations. Pursuant to Article 42(1), GDPR certification is only applicable to the processing operations of controllers and processors.