Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
SECTION 1 INTRODUCTION
Annex 2 provides guidance for review and assessment of certification criteriapursuant to Article 42(5). It identifies topics that a data protection supervisory authority and the EDPB will consider and apply for the purpose of approval of certification criteria of a certification mechanism. The questions should be considered by certification bodies and scheme owners who wish to draft and present criteria for approval. The list is not exhaustive, but presents the minimum topics to be considered. Not all questions will be applicable; however they should be considered when drafting criteria and reasoning may be needed to explain why criteria do not cover specific aspects. Some questions are repeated, as they are from different perspectives. This guidance should be considered in accordance with the legal requirements provided by the GDPRand, where applicable, by national legislation.