Accreditation of certification bodies under Article 43 GDPR
Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
Section 6.1 Certification body personnel
The accreditation body shall in addition to the requirement in section 6 ISO/IEC 17065/2012 ensure for each certification body that its personnel:
1 has demonstrated appropriate and ongoing expertise (knowledge and experience) with regard to data protection pursuant to Article 43(1);
2 has independence and ongoing expertise with regard to the object of certification pursuant to Article 43(2)(a) and do not have a conflict of interest pursuant to Article 43(2)(e);
3 undertakes to respect the criteria referred to in Article 42(5) pursuant to Article 43(2)(b);
4 has relevant and appropriate knowledge about and experience in applying data protection legislation;
5 has relevant and appropriate knowledge about and experience in technical and organisational data protection measures as relevant.
6 is able to demonstrate experience in the fields mentioned in the additional requirements 6.1.1, 6.1.4, and 6.1.5, specifically
For personnel with technical expertise:
-
Have obtained a qualification in a relevant area of technical expertise to at least EQF level 6 or a recognised protected title (e.g. Dipl. Ing.) in the relevant regulated profession or have significant professional experience.
-
Personnel responsible for certification decisions require significant professional experience in identifying and implementing data protection measures.
-
Personnel responsible for evaluations require professional experience in technical data protection and knowledge and experience in comparable procedure (e.g. certifications/audits), and registered as applicable.
Personnel shall demonstrate they maintain domain specific knowledge in technical and audit skills through continuous professional development.
For personnel with legal expertise:
-
Legal studies at a EU or state-recognised university for at least eight semesters including the academic degree Master (LL.M.) or equivalent, or significant professional experience.
-
Personnel responsible for certification decisions shall demonstrate significant professional experience in data protection lawand be registered as required by the Member State.
-
Personnel responsible for evaluations shall demonstrate at least two years of professional experience in data protection law and knowledge and experience in comparable procedures (e.g. certifications/audits), and when required by the Member State be registered.