Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Paragraph 4.2.3  Role of accreditation

43. As noted in 4.2.1, when criteria are identified as being suitable for common certification, and have been approved as such by the Board pursuant to Article 42(5), then certification bodies may be accredited to conduct certification under these criteria at Union level.

44. Schemes that are intended only to be offered only in particular Member States will not be candidates of EU Seals. Accreditation for the scope of a European Data Protection Seal will require accreditation in the Member State of the headquarters of the certification body intending to operate the scheme, i.e. responsible for issuing certifications and managing the certification activities of its entities and subsidiaries in other Member States. Where other establishments or offices manage and perform certifications autonomously, each of these establishments or offices will require separate accreditation in the Member State where they are based. In other words, accreditation is necessary only in the Member State of the headquarters of the certification body when only the headquarters issue the certificates. By contrast, when other establishments of the certification body also issue certificates, these establishments need to be accredited as well.

45. Consequently, if a certification body has not been accredited to certify under the European Data Protection Seal, then the EDPB approved criteria cannot be used and the Seal cannot be offered.