Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
SECTION 2 THE ROLE OF THE SUPERVISORY AUTHORITIES
20. Article 42(5) provides that certification shall be issued by an accredited certification body or by a competent supervisory authority. The GDPR does not make the issuance of certifications a mandatory task of the supervisory authorities. Instead, the GDPR allows for a number of different models. For example, a supervisory authority may decide for one or more of the following options:
issue certification itself, in respect of its own certification scheme;
issue certification itself, in respect of its own certification scheme, but delegate whole or part of the assessment process to third parties;
create its own certification scheme, and entrust certification bodies with the certification procedure which issue the certification; and
encourage the market to develop certification mechanisms.