Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
Section 4.1 Approval of criteria by the competent supervisory authority
33. Certification criteria must be approved by the competent supervisory authority prior or during the accreditation process for a certification body. Approval is also required for updated or additional schemes or sets of criteria under ISO 17065 by the same certification body, prior to their use of the amended certification mechanisms (Articles 42(5) and 43(2)(b)). Supervisory authorities shall treat all requests for approval of certification criteria in a fair and non-discriminatory way, according to a publicly available procedure specifying the general conditions to be met and the description of the approval process.
34. A certification body can only issue certification in a particular Member State in accordance with the criteria approved by the supervisory authority in that Member State. In other words, certification criteria need to be approved by the competent supervisory authority where the certification body aims to offer certification and obtains the accreditation. See the section below for European wide certification schemes.