Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

Section 4.5  Supervisory authority acting as certification body

42. Article 42(5) provides that a supervisory authority may issue certifications, but the GDPR does not require it to be accredited to meet the requirements under Regulation (EC) 765/2008. The EDPB notes that Article 43(1)(a) and specifically Article 58(2)(h), 3(a, e-f) empower supervisory authorities to perform both accreditation and certification, and at the same time provide advice, and, where applicable, withdraw certifications, or order certification bodies to not issue certifications.

43. There may be situations where the separation of accreditation and certification roles and duties is appropriate or required, for example, if a supervisory authority and other certification bodies co-exist in a Member State and both issue the same range of certifications. Supervisory authorities should therefore take sufficient organisational measures to separate the tasks under the GDPR to anchor and facilitate certification mechanisms while taking precautions to avoid conflicts of interest that may arise from these tasks. Additionally, Member States and supervisory authorities should keep in mind the harmonised European level when formulating national law and procedures relating to accreditation and certification in accordance with the GDPR.