Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
Paragraph 1.3.1 Interpretation of “certification”
15. The GDPR does not define “certification”. The International Standards Organisation (ISO) provides a universal definition of certification as “the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.” Certification is also known as “third party conformity assessment” and certification bodies can also be referred to as “conformity assessment bodies” (CABs). In EN-ISO/IEC 17000:2004 – Conformity assessment — Vocabulary and general principles (to which ISO17065 refers) – certification is defined in the following terms: “third party attestation… related to products, processes, and services”.
16. Attestation is an ‘issue of a statement, based on a decision following review, that fulfilment of specific requirements has been demonstrated’ (section 5.2, ISO 17000:2004).
17. In the context of certification under Articles 42 and 43 of the GDPR, certification shall refer to third party attestation related to processing operations by controllers and processors.