Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

SECTION 3  INTERPRETATION OF ‘ACCREDITATION’ FOR THE PURPOSES OF ARTICLE 43 OF THE GDPR

19. The GDPR does not define ‘accreditation’. Article 2 (10) of Regulation (EC) No 765/2008, which lays down general requirements for accreditations, defines accreditation as (see 20) :

20. “an attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral  schemes,  to carry out a specific conformity assessment activity “

21. Pursuant to ISO/IEC 17011:

22. “accreditation refers to third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific conformity assessment tasks.”

23. Article 43(1) provides:

24. “Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58 (2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:

(a) the supervisory authority which is competent pursuant to Article 55 or 56;

(b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council in accordance with ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.”

25. In respect of the GDPR, the accreditation requirements will be guided by:

• ISO/IEC 17065/2012 and the ‘additional requirements’ established by the supervisory authority which is competent in accordance with Article 43 (1)(b), when the accreditation is carried out by the national accreditation body and by the supervisory authority, when it carries out the accreditation itself.

26. In both cases the consolidated requirements must cover the requirements mentioned in Article 43(2).

27. The EDPB acknowledges that the purpose of accreditation is to provide an authoritative statement of the competence of a body to perform certification (conformity assessment activities). Accreditation interms of the GDPR shall be understood to mean the following:

28. an attestation by a national accreditation body and/or by a supervisory authority, that a certification body14is qualified to carry out certification pursuant to Article 42 and 43 GDPR, taking into accountISO/IEC 17065/2012 and the additional requirements established by the supervisory authorityand or by the Board.