Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
Section 6.1 Certification body personnel
The accreditation body shall in addition to the requirement in section 6 ISO/IEC 17065/2012 ensure for each certification body that its personnel:
1 has demonstrated appropriate and ongoing expertise (knowledge and experience) with regard to data protection pursuant to Article 43(1);
2 has independence and ongoing expertise with regard to the object of certification pursuant to Article 43(2)(a) and do not have a conflict of interest pursuant to Article 43(2)(e);
3 undertakes to respect the criteria referred to in Article 42(5) pursuant to Article 43(2)(b);
4 has relevant and appropriate knowledge about and experience in applying data protection legislation;
5 has relevant and appropriate knowledge about and experience in technical and organisational data protection measures as relevant.
6 is able to demonstrate experience in the fields mentioned in the additional requirements 6.1.1, 6.1.4, and 6.1.5, specifically
For personnel with technical expertise:
Have obtained a qualification in a relevant area of technical expertise to at least EQF level 6 or a recognised protected title (e.g. Dipl. Ing.) in the relevant regulated profession or have significant professional experience.
Personnel responsible for certification decisions require significant professional experience in identifying and implementing data protection measures.
Personnel responsible for evaluations require professional experience in technical data protection and knowledge and experience in comparable procedure (e.g. certifications/audits), and registered as applicable.
Personnel shall demonstrate they maintain domain specific knowledge in technical and audit skills through continuous professional development.
For personnel with legal expertise:
Legal studies at a EU or state-recognised university for at least eight semesters including the academic degree Master (LL.M.) or equivalent, or significant professional experience.
Personnel responsible for certification decisions shall demonstrate significant professional experience in data protection lawand be registered as required by the Member State.
Personnel responsible for evaluations shall demonstrate at least two years of professional experience in data protection law and knowledge and experience in comparable procedures (e.g. certifications/audits), and when required by the Member State be registered.