Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

SECTION 7  GENERAL OBLIGATIONS OF CONTROLLERS AND PROCESSORS

a.   Do the criteria require proof of contractual agreements between processors and controllers?

b.   Are controller processor agreements subject to evaluation?

c.   Do the criteria reflect the obligations of the controller pursuant to Chapter IV?

d.   Do the criteria require proof of review and updating of technical and organisational measures implemented by the controller pursuant to Article 24(1)?

e.   Do the criteria check that the organisation has assessed if a Data Protection Officer (DPO) should be appointed as required by Article 37? Where relevant does the DPO meet the requirements under Articles 37 to 39?

f.   Do the criteria check that records of processing of activities are required in accordance with Article 30(5) and appropriately address Article 30 requirements?