Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
Paragraph 4.1.1 Legal responsibility
A certification body should be able to demonstrate (at all times) to the NAB or CSA that they have up to date procedures that demonstrate compliance with the legal responsibilities set out in the terms of accreditation, including the additional requirements in respect of the application of Regulation 2016/679/EC. Note that, as the certification body is a data controller/processor itself, it shall be able to demonstrate evidence of Regulation 2016/679/EC compliant procedures and measures specifically for controlling and handling of client organisation’s personal data as part of the certification process.
The CSA may decide to add further requirements and procedures to check certification bodies GDPR compliance prior to accreditation.