Accreditation of certification bodies under Article 43 GDPR
Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
SECTION 3 INTERPRETATION OF ‘ACCREDITATION’ FOR THE PURPOSES OF ARTICLE 43 OF THE GDPR
19. The GDPR does not define ‘accreditation’. Article 2 (10) of Regulation (EC) No 765/2008, which lays down general requirements for accreditations, defines accreditation as (see 20) :
20. “an attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activity “
21. Pursuant to ISO/IEC 17011:
22. “accreditation refers to third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific conformity assessment tasks.”
23. Article 43(1) provides:
24. “Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58 (2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:
(a) the supervisory authority which is competent pursuant to Article 55 or 56;
(b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council in accordance with ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.”
25. In respect of the GDPR, the accreditation requirements will be guided by:
-
ISO/IEC 17065/2012 and the ‘additional requirements’ established by the supervisory authority which is competent in accordance with Article 43 (1)(b), when the accreditation is carried out by the national accreditation body and by the supervisory authority, when it carries out the accreditation itself.