Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR
Section 4.4 The role of the supervisory authority
38. The EDPB notes that Article 57(1)(q) provides that the supervisory authority shall conduct the accreditation of a certification body pursuant to Article 43 as a ‘supervisory authority task’ pursuant to Article 57 and Article 58(3)(e) provides that the supervisory authority has the authorisation and advisory power to accredit certification bodies pursuant to Article 43. The wording of Article 43(1) provides some flexibility and the supervisory authority’s accreditation function should be read as a task only where appropriate. Member State law may be used to clarify this point. Yet, in the process of accreditation by a national accreditation body the certification body is required by Article 43(2)(a) to demonstrate their independence and expertise to the satisfaction of the competent supervisory authority in relation to the subject-matter of the certification mechanism it offers.
39. If a Member State stipulates that the certification bodies are to be accredited by the supervisory authority, the supervisory authority should establish accreditation requirements including, but not limited to the requirements detailed in Article 43(2). In comparison to the obligations relating to the accreditation of certification bodies by national accreditation bodies, Article 43 provides less instruction about the requirements for accreditation when the supervisory authority conducts the accreditation itself. In the interests of contributing to a harmonised approach to accreditation, the accreditation criteria used by the supervisory authority should be guided by ISO/IEC 17065 and should be complemented by the additional requirements a supervisory authority establishes pursuant to Article 43(1)(b). The EDPB notes that Article 43(2)(a)-(e) reflect and specifiy requirements of ISO 17065. which will contribute to consistency.
40. If a Member State stipulates that the certification bodies are to be accredited by the national accreditation bodies, the supervisory authority should establish additional requirements complementing the existing accreditation conventions envisaged in Regulation (EC) 765/2008 (where Articles 3-14 relate to the organisation and operation of accreditation of conformity assessment bodies) and the technical rules that describe the methods and procedures of the certification bodies. In light of this, Regulation (EC) 765/2008 provides further guidance: Article 2(10) defines accreditationand refers to ‘harmonized standards’ and ‘any additional requirements including those set out in relevant sectoral schemes’. It follows that the additional requirements established by the supervisory authority should include specific requirements and be focused on facilitating the assessment, amongst others, of the independence and level of data protection expertise of certification bodies, for example, their ability to evaluate and certify personal data processing operations by controllers and processors pursuant to Article 42.(1). This includes competence required for sectoral schemes, and with regard to the protection of fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The annex to these guidelines can help inform competent supervisory authorities when establishing the ‘additional requirements’ in accordance with Articles 43(1)(b) and 43(3).
41. Article 43(6) provides that “[t]he requirements referred to in paragraph 3 of this Article and the certification criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form”. Therefore, to ensure transparency, all criteria and requirements approved by a supervisory authority shall be published. In terms of quality and trust in the certification bodies, it would be desirable, if all the requirements for accreditation were readily available to the public.