Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Paragraph 4.2.1  Application for approval

36. The application for approval of criteria pursuant to Article 42(5) and 70(1)(o), by the EDPB must be submitted through a competent supervisory authority and should state the intention of the scheme owner, candidate or accredited certification body to offer the criteria in a certification mechanism addressing controllers and processors in all Member States. The competent supervisory authority will provide a draft to the EDPB when it considers that the criteria could be approved by the EDPB.

37. The choice of where to submit an application for approval of criteria will be based on the certification scheme owners or the certification bodies headquarters.

38. If a certification body submits an application, it would normally be in the process of applying for accreditation or already accredited by either the competent supervisory authority or the national accreditation body of its Member State. Where the certification body is already accredited for a GDPR certification mechanism, this may help streamline the approvals process.