Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of GDPR

Section 6.1  Certification body personnel

The accreditation body shall in addition to the requirement in section 6 ISO/IEC 17065/2012 ensure for each certification body that its personnel:

1 has demonstrated appropriate and ongoing expertise (knowledge and experience) with regard to data protection pursuant to Article 43(1);

2 has independence and ongoing expertise with regard to the object of certification pursuant to Article 43(2)(a) and do not have a conflict of interest pursuant to Article 43(2)(e);

3 undertakes to respect the criteria referred to in Article 42(5) pursuant to Article 43(2)(b);

4 has relevant and appropriate knowledge about and experience in applying data protection legislation;

5 has relevant and appropriate knowledge about and experience in technical and organisational data protection measures as relevant.

6  is able to demonstrate experience in the fields mentioned in the additional requirements 6.1.1, 6.1.4, and 6.1.5, specifically

For personnel with technical expertise:

• Have obtained a qualification in a relevant area of technical expertise to at least EQF level 6 or a recognised protected title (e.g. Dipl. Ing.) in the relevant regulated profession or have significant professional experience.

• Personnel responsible for certification decisions require significant professional experience in identifying and implementing data protection measures.

• Personnel responsible for evaluations require professional experience in technical data protection and knowledge and experience in comparable procedure (e.g. certifications/audits), and registered as applicable.

Personnel shall demonstrate they maintain domain specific knowledge in technical and audit skills through continuous professional development.

For personnel with legal expertise:

• Legal studies at a EU or state-recognised university for at least eight semesters including the academic degree Master (LL.M.) or equivalent, or significant professional experience.

• Personnel responsible for certification decisions shall demonstrate significant professional experience in data protection lawand be registered as required by the Member State.

• Personnel responsible for evaluations shall demonstrate at least two years of professional experience in data protection law and knowledge and experience in comparable procedures (e.g. certifications/audits), and when required by the Member State be registered.

Personnel shall demonstrate they maintain domain specific knowledge in technical and audit skills through continuous professional development.