Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

SECTION 3  THE ROLE OF A CERTIFICATION BODY

27. A certification body’s role is to issue, review, renew, and withdraw certifications (Article 42(5), (7)) on the basis of a certification mechanism and approved criteria (Article 43(1)). This requires the certification body or a certification scheme owner to determine and set up certification criteria and certification procedures, including procedures for monitoring of adherence, reviewing, handling complaints, and withdrawal. The certification criteria are reviewed as part of the accreditation process, which considers the rules and procedures under which certifications, seals, or marks are issued (Article 43(2)(c)).

28. The existence of a certification mechanism and certification criteria are necessary for the certification body to achieve accreditation under Article 43. A major impact on what a certification body does arises from the scope and type of certification criteria which have an impact on the certification procedures and vice versa. Specific criteria may for example require specific methods of evaluation, such as on-site inspections and codereview. These procedures are mandatory for accreditation and are further explained in the guidelines on accreditation.

29. The certification body is required by the GDPR to provide supervisory authorities with information, especially on individual certifications, which is necessary to monitor the application of the certification mechanism (Article 42(7), 43(5), 58(2)(h)).