Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

SECTION 2  SCOPE OF THE GUIDELINES

6. These guidelines:

– set out the purpose of accreditation in the context of the GDPR;

– explain the routes that are available to accredit certification bodies in accordance with Article 43 (1), and identify key issues to consider;

– provide a framework for establishing additional accreditation requirements when the accreditation is handled by the national accreditation body; and

– provide a framework for establishing accreditation requirements, when the accreditation is handled by the supervisory authority.

7. The guidelines do not constitute a procedural manual for the accreditation of certification bodies in accordance with the GDPR. They do not develop a new technical standard for the accreditation of certification bodies for the purposes of the GDPR.

8. The guidelines are addressed to:

a Member States, who must ensure that certification bodies are accredited by the supervisory authority and/or the national accreditation body;

b national accreditation bodies that conduct the accreditation of certification bodies underArticle 43(1)(b);

c the competent supervisory authority specifying ‘additional requirements‘ to those in ISO/IEC 17065/2012 when the accreditation is carried out by the national accreditation body under Article 43(1)(b);

d the EDPB when issuing an opinion on and approving competent supervisory authority accreditation requirements pursuant to Articles 43(3), 70(1)(p) and 64(1)(c);

e the competent supervisory authority specifying the accreditation requirements when accreditation is carried out by the supervisory authority under Article 43(1)(a);

f other stakeholders such as prospective certification bodies or certification scheme owners providing for certification criteria and procedures.

9. Definitions

10. The following definitions seek to promote a common understanding of the basic elements of the accreditation process. They should be considered as points of reference and they do not raise any claim to be unassailable. These definitions are based on existing regulatory frameworks and standards, especially on the relevant provisions of GDPR and ISO/IEC 17065/2012.

11. For the purposes of these guidelines the following definitions shall apply:

12. ‘accreditation’ of certification bodies see section 3 on interpretation of accreditation for the purposes of Article 43 of the GDPR;

13. ‘additional requirements’ means the requirements established by the supervisory authority which is competent and against which an accreditation is performed;

14. ‘certification’ shall mean the assessment and impartial, third party attestation5that the fulfilment of certification criteria has been demonstrated;

15. ‘certification body’ shall mean a third –party conformity assessment6body7operating a certification mechanisms;

16. ‘certification scheme’ shall mean a certification system related to specified products, processes and services to which the same specified requirements, specific rules and procedures apply;

17. ‘criteria’ or certification criteria shall mean the criteria against which a certification (conformity assessment)is performed;

18. ‘national accreditation body’ shall mean the sole body in a Member State named in accordance with Regulation (EC) No 765/2008 of the European Parliament and the Council that performs accreditation with authority derived from the State.