Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 2.1  Supervisory Authority as certification body

22. Where a supervisory authority chooses to conduct certification, it will have to carefully assess its role with respect to its assigned tasks under the GDPR. Its role should be transparent in the exercise of its functions. It will need to give consideration specifically to the separation of powers relating to investigations and enforcement in order to avoid any potential conflicts of interest.

23. When acting as a certification body a supervisory authority will have to ensure the proper set up of a certification mechanism and develop its own or adopt certification criteria. In addition, every supervisory authority which issues certifications has the task to periodically review them (Article 57(1)(o)) and the power to withdraw them where the requirements for certification are not or no longer met (Article 58(2)(h)). To meet these requirements, it is useful to set up a certification procedure and process requirements, and, if not stipulated otherwise e.g. by national law, put in place a legally enforceable agreement for the provision of certification activities with the individual applicant organisation. It should be ensured that this certification agreement requires the applicant to comply at least with the certification criteria including necessary arrangements to conduct the evaluation, monitoring adherence to the criteria, and periodic review including access to information and/or premises, documentation and publication of reports and results, and investigation of complaints. Further, it is expected that a supervisory authority will follow the requirements in the guidelines for accreditation of certification bodies in addition to the requirements pursuant to Article 43(2).