Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 5.4  Documentation of assessment

63. Certification documentation should be thorough and comprehensive. A lack of documentation means that a proper assessment cannot take place. The essential function of certification documentation is that it provides for transparency in the evaluation process under the certification mechanism. Documentation delivers answers to questions concerning the requirements set out by law. Certification mechanisms should provide for a standardized documentation methodology. Thereafter evaluation will allow comparison of the certification documentation with the actual status on-site and against the certification criteria.

64. Comprehensive documentation of what has been certified and the methodology used serves transparency. Pursuant to Article 43(2)(c), certification mechanisms should establish procedures that allow the review of certifications. In order to allow the supervisory authority to assess whether and to what extent the certification can be acknowledged in formal investigations, detailed documentation may be the most appropriate means to communicate. The documentation produced during evaluation should therefore focus on three main aspects:

• consistency and coherence of evaluation methods executed;

• evaluation methods directed to demonstrate compliance of the certification object with the certification criteria and thus with the Regulation; and

• hat the results of evaluation have been validated by an independent and impartial certification body.