Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
Section 4.3 The role of the national accreditation body
34. Article 43(1)(b) provides that the national accreditation body will accredit certification bodies in accordance with ISO/IEC 17065/2012 and the additional requirements established by the competent supervisory authority.
35. For clarity, the EDPB notes that the specific reference to ‘to point (b) of paragraph 1 Article 43 (3) implies that ‘those requirements’ points to the ‘additional requirements’ established by the competent supervisory authority under Article 43(1)(b) and the requirements set out in Article 43 (2).
36. In the process of accreditation, the national accreditation bodies shall apply the additional requirements to be provided by the supervisory authorities.
37. A certification body with existing accreditation on the basis of ISO/IEC 17065/2012 for non-GDPR related certification schemes that wishes to extend the scope of its accreditation to cover certification issued in accordance with the GDPR will need to meet the additional requirements established by the supervisory authority if accreditation is handled by the national accreditation body. If accreditation for certification under the GDPR is only offered by the competent supervisory authority, a certification body applying for accreditation will have to meet the requirements set by the respective supervisory authority.