Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

Section 7.4  Evaluation

In addition to item 7.4 of ISO/IEC 17065/2012, certification mechanisms shall describe sufficient evaluation methods for assessing the compliance of the processing operation(s) with the certification criteria, including for example where applicable:

• 1 a method for assessing the necessity and proportionality of processing operations in relation to their purpose and the data subjects concerned;

• 2 a method for evaluating the coverage, composition and assessment of all risks considered by controller and processor with regard to the legal consequences pursuant to Articles 30, 32 and 35 and 36 GDPR, and with regard to the definition of technical and organisational measures pursuantto Articles 24, 25 and 32 GDPR, insofar as the aforementioned Articles apply to the object of certification, and

• 3 a method for assessing the remedies, including guarantees, safeguards and procedures to ensure the protection of personal data in the context of the processing to be attributed to the object of certification and to demonstrate that the legal requirements as set out in the criteria are met; and

• 4 documentation of methods and findings.

The certification body should be required to ensure that these evaluation methods are standardized and generally applicable. This means that comparable evaluation methods are used for comparable ToEs. Any deviation from this procedure shall be justified bythe certification body.

In addition to item 7.4.2 of ISO/IEC 17065/2012, it should be allowed that the evaluation is carried out by external experts who have been recognized by the certification body.

In addition to item 7.4.5 of ISO/IEC 17065/2012, it should be required that data protection certification in accordance with Articles 42 and 43 GDPR, which already covers part of the object of certification, may be included in a current certification. However, it will not be sufficient to completely replace (partial) evaluations. The certification body shall be obliged to check the compliance with the criteria. Recognition shall in any way require the availability of a complete evaluation report or information enabling an evaluation of the previous certification activity and its results. A certification statement or similar certification certificates should not be considered sufficient to replace a report.

In addition to item 7.4.6 of ISO/IEC 17065/2012, it should be required that the certification body shall set out in detail in its certification mechanism how the information required in item 7.4.6 informs the customer (certification applicant) about nonconformities from a certification mechanism. In this context, at least the nature and timing of such information should be defined.

In addition to item 7.4.9 of ISO/IEC 17065/2012, it should be required that documentation be made fully accessible to the data protection supervisory authority upon request