Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

Section 4.1   Role for Member States

30. Article 43 (1) requires Member States to ensure that certification bodies are accredited, but allows each Member State to determine who should be responsible to conduct the assessment leading to accreditation. On the basis of Article 43 (1), three options are available; accreditation is conducted:

(1) solely by the supervisory authority, on the basis of its own requirements;

(2) solely by the national accreditation body named in accordance with Regulation (EC) 765/2008 and on the basis of ISO/IEC 17065/2012 and with additional requirements established by the competent supervisory authority; or

(3) by both the supervisory authority and the national accreditation body (and in accordance with all requirements listed in 2 above).

31. It is for the individual Member State to decide whether the national accreditation body or the supervisory authority or both together will carry out these accreditation activities but in any case it should ensure that adequate resources are provided