Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
Section 7.3 Application Review
In addition to item 7.3 of ISO/IEC 17065/2012, it should be required that
1 binding evaluation methods with respect to the Target of Evaluation (ToE) shall be laid down in the certification agreement;
2 the assessment in 7.3(e) of whether there is sufficient expertise takes into account both technical and legal expertise in data protection to an appropriate extent.