Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
SECTION 9 RISKS FOR THE RIGHTS AND FREEDOMS OF NATURAL PERSONS
a. Do the criteria allow and require assessing the risk to the rights and freedoms of natural persons?
b. Do the criteria provide or require a recognized risk assessment methodology? If appropriate, is it commensurate?
c. Do the criteria allow and require assessing the impact of the envisaged processing operations for the rights and freedoms of natural persons?
d. Do the criteria, require prior consultation concerning the remaining risks that could not be mitigated, based on the results of the Data Protection Impact Assessment (DPIA)?