Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
Section 7.4 Evaluation
In addition to item 7.4 of ISO/IEC 17065/2012, certification mechanisms shall describe sufficient evaluation methods for assessing the compliance of the processing operation(s) with the certification criteria, including for example where applicable:
1 a method for assessing the necessity and proportionality of processing operations in relation to their purpose and the data subjects concerned;
2 a method for evaluating the coverage, composition and assessment of all risks considered by controller and processor with regard to the legal consequences pursuant to Articles 30, 32 and 35 and 36 GDPR, and with regard to the definition of technical and organisational measures pursuantto Articles 24, 25 and 32 GDPR, insofar as the aforementioned Articles apply to the object of certification, and
3 a method for assessing the remedies, including guarantees, safeguards and procedures to ensure the protection of personal data in the context of the processing to be attributed to the object of certification and to demonstrate that the legal requirements as set out in the criteria are met; and
4 documentation of methods and findings.