Skip to content
Guidance · EDPB ·132026-on-the-draft-decision-of-the-office-of-the EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 13/2026 on the draft decision of the Office of the Data Protection Ombudsman (FI SA) regarding the approval of the requirement for accreditation of a certification body pursuant to Article 43(3) GDPR

Summary

Opinion 13 /2026 on the draft decision of the Office of the Data Protection Ombudsman (FI SA) regarding the approval of the requirement for accreditation of a certification body pursuant to Article 43(3) GDPR Adopted on 15 April 2026 1 | Adopted 2 | Adopted The European Data Protection Board has adopted the following statement: Having regard to Article 43(3), 63, Article 64 (1)(c) and Article 64(3) - (8) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016…

How it connects

Full text 55 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶0

15 April 2026 1 | Adopted 2 | Adopted The European Data Protection Board has adopted the following statement: Having regard to Article 43(3), 63, Article 64 (1)(c) and Article 64(3) - (8) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), Having regard to the Agreement on the European Economic Area (EEA) and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

¶1

Having regard to Article 10 and Article 22 of its Rules of Procedure , Whereas: 1 The main role of the EDPB is to ensure the consistent application of the GDPR throughout the EEA . In compliance with Article 64(1) GDPR, the EDPB shall issue an opinion where a supervisory authority ( “ SA ” ) intends to approve the requirements for the accreditation of certification bodies pursuant to Article 43. The aim of this opinion is to create a harmonised approach with regard to the requirements that a SA or the n ational a ccreditation b ody (“NAB”) will apply for the accreditation of a certification body. Even though the GDPR does not impose a single set of requirements for accreditation, it does promote consistency. The EDPB seeks to achieve thi s objective in its opinions firstly by encouraging SAs to draft their requirements for accreditation following the structure set out in the Annex to the EDPB Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) (“ the Guidelines”) 2 , and, secondly by analysing them using a template provided by EDPB allowing the benchmarking of the requirements , guided by EN - ISO/IEC 17065 : 2012 , Conformity assessment – Requirements for bodies certifying products, processes and services ( EN - ISO/IEC 17065 : 2012 ) and the Guidelines .

¶2

With reference to Article 43 GDPR, the competent SAs must adopt accreditation requirements. They must , however, apply the consistency mechanism in order to allow generation of trust in the certification mechanism, in particular by setting a high level of requirements.

¶3

While requirements for accreditation are subject to the consistency mechanism, this does not mean that the requirements should be identical. The competent SAs have a margin of discretion with regard to the national or regional context and should take into account their national legislation. The aim of the EDPB opinion is not to reach a single set of requirements for the entire EEA, but rather to avoid significant inconsistencies that may affect trust in the independence or expertise of accredited certificat ion bodies .

¶4

The Guidelines and Guidelines 1/2018 on certification and identifying certification criteria in accordance with article 42 and 43 of the Regulation 2016/679 3 will serve as a guiding thread in the context of the consistency mechanism.

¶5

If a Member State stipulates that the certification bodies are to be accredited by the SA , the SA should establish accreditation requirements including, but not limited to, the requirements 1 References to “Member States” made throughout this document should be understood as references to “EEA Member States”. 2 Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation ( Version 3.0, 04.06.2019 ) . 3 Guidelines 1/2018 1/2018 on certification and identifying certification criteria in accordance with article 42 and 43 of the Regulation 2016/679 ( Version 3.0, 04.06.2019 ) . 3 | Adopted detailed in Article 43(2) GDPR . In comparison to the obligations relating to the accreditation of certification bodies by NABs , Article 43 GDPR provides fewer details about the requirements for accreditation when a SA conducts the accreditation itself. In the interests of contributing to a harmonised approach to accreditation, the accreditation requirements used by the SA should be guided by EN - ISO/IEC 17065 : 2012 and should be complemented by the additional requirements a SA establishes pursuant to Article 43(1)(b) GDPR . The EDPB notes that Article 43(2)(a) - (e) GDPR reflect and specify requirements of EN - ISO/IEC 17065 : 2012 , which will contribute to consistency. 4

¶6

The opinion of the EDPB shall be adopted pursuant to Article 64(1)(c) and 64 (3) - (8) GDPR in conjunction with Article 10(2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent SA have decided that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. Has adopted the following Opinion : 1 Summary of facts

¶7

The Finnish Office of the Data Protection Ombudsman (“FI SA”) has submitted draft accreditation requirements (the “Requirements”) , under Article 43(1)(b) GDPR, to the EDPB. The file was deemed complete on 1 April 2026. The Finnish N ational A ccreditation Service (“FINAS”) is the NAB in Finland and will perform accreditation of certification bodies that wish to certify data processing operations in line with certification criteria approved under the GDPR . This means that the NAB will apply EN - ISO/IEC 17065 : 20 12 and the additional requirements decided by the FI SA, following an opinion from the EDPB on the draft requirements, to accredit such certification bodies.

¶8

In compliance with article 10(2) of the EDPB’s Rules of Procedure, due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eight weeks by a further six weeks. 2 A ssessment 2.1 General reasoning of the EDPB regarding the submitted draft decision

¶9

The purpose of this opinion is to assess the accreditation requirements d rafted by a SA for the purposes of allowing a NAB or a SA, as per article 43(1) GDPR, to accredit a certification body responsible for issuing and renewing certification in accordance with A rticle 42 GDPR. This is without prejudice to the tasks and powers of the competent SA. In this specific case, the EDPB notes that the Finnish national legislation instructs the NAB to issue accreditation of 4 The Guidelines , para. 39. 4 | Adopted certification bodies pursuant to Article 43 GD PR and the additional requirements to be adopted by the FI SA, 5 following the adoption of this Opinion .

¶10

This assessment of FI SA’s additional accreditation requirements is aimed at examining variations (additions or deletions) from the Guidelines and notably their Annex 1 Furthermore, the EDPB’s Opinion is also focused on all aspects that may impact on a co nsistent approach regarding the accreditation of certification bodies.

¶11

It should be noted that the aim of the Guidelines on accreditation of certification bodies is to assist the SAs wh en d rafting their accreditation requirements. The Guidelines’ Annex does not constitute accreditation requirements as such. Therefore, the accreditation requirements for certification bodies need to be defined by the SA in a way that enables their practical and consis tent application.

¶12

The EDPB acknowledges the fact that given their expertise, freedom of manoeuvre should be given to NABs when defining certain specific provisions within the applicable accreditation requirements. However, the EDPB considers it necessary to stress that, where any additional requirements are established, they should be defined in a way that enables their practical, consistent application and review as required.

¶13

The EDPB notes that EN - ISO /IEC standards, in particular EN - ISO/IEC 17065 : 2012 , are subject to intellectual property rights, and therefore it will not refer to the text of the related document in this Opinion. As a result, the EDPB decided to, where relevant, point towards specific sections of the EN - ISO/IEC 17065 : 2012 , without, however, reproducing the text.

¶14

Finally, the EDPB has conducted its assessment in line with the structure foreseen in Annex 1 to the Guidelines. Where this Opinion remains silent on a specific section of the FI SA’s draft accreditation requirements, it should be read as the EDPB not having any comments and not asking the FI SA to take further action.

¶15

This opinion does not reflect items in the Requirements which are outside the scope of article 43(2) GDPR, such as references to national legislation. The EDPB nevertheless notes that national legislation should be in line with the GDPR, where required.

¶16

This Opinion of the EDPB does not take into account , nor comments on , the guidance included by the FI SA in the text of these draft accreditation requirements.

¶17

The m ain points of focus for the assessment , under Article 43(2) GDPR and Annex 1 of the Guidelines , are that the accreditation requirements provide for the following to be assessed consistently : a. all the key areas of the Guidelines ’ Annex and any deviation from the Annex ; b. independence of the certification body ; c. conflicts of interests of the certification body ; d. expertise of the certification body ; e. appropriate safeguards to ensure GDPR certification criteria is appropriately applied by the certification body ; f. procedures for issuing, periodic review and withdrawal of GDPR certification; and 5 Act on Verifying the Competence of Conformity Assessment Services 920/2005 . 5 | Adopted g. t ransparent handling of complaints about infringements of the certification.

¶18

Taking into account that: a. Article 43(2) GDPR provides a list of conditions that a certification body need s to meet in order to be accredited; b. Article 43(3) GDPR provides that the requirements for accreditation of certification bodies shall be approved by the competent SA ; c. Article 57(1)(p) & (q) GDPR provides that a competent SA must draft and publish the accreditation requirements for certification bodies and may decide to conduct the accreditation of certification bodies itself; d. Article 64(1)(c) GDPR provides that the EDPB shall issue an opinion where a SA intends to approve the accreditation requirements for a certification body pursuant to Article 43(3); e. If accreditation is carried out by the NAB in accordance with EN - ISO/IEC 17065 : 2012 , the additional requirements established by the competent SA must also be applied; f. Annex 1 of the Guidelines includes suggested requirements that a data protection SA shall draft and that apply during the accreditation of a certification body by the NAB ; the EDPB is of the opinion that: 2.2 Prefix

¶19

The EDPB acknowledges the fact that terms of cooperation regulating the relationship between a NAB and a SA are not a requirement for the accreditation of certification bodies per se. However, for reasons of completeness and transparency, the EDPB considers that such terms of cooperation, where existing, should be made public in a format considered appropriate by the SA. 2.3 General remarks

¶20

The EDPB notes that the term “ target of evaluation” is not used consistently throughout the Requirements. To make sure that the use of terminology in the Requirements stays consistent with EN - ISO/IEC 17065 : 2012 , the EDPB encourages to use the term “ target of evaluation” throughout the Requirements where relevant. 6 2.4 General requirements for accreditation 2.4.1 Legal responsibility Item 4.1.1 paras. 2 - 3 of the Requirements

¶21

Under i tem 4.1.1 para. 2 of the Requirements , “ The certification body shall be obliged to inform the accreditation body if it is or has been subject to an investigation or other measure by a data protection supervisory authority in relation to the target of evaluation … “. Under item 4.1.1 para. 3 of the Requirements, “[t he ] certification body shall notify the accreditation body 6 This encouragement applies to p. 7.2 1 st . para. p. 2 and p. 7.4 para. 4. 6 | Adopted of any finding of non - compliance with the GDPR or other data protection legislation by courts, the overseers of legality such as the Office of the Data Protection Ombudsman that concerns the target of evaluation and may affect the accreditation.”

¶22

As the EDPB understands item 4.1.1 paras. 2 - 3 of the Requirements to regulate the certification body’s compliance with the GDPR, the references to the “ target of evaluation” seems to be incorrect. Therefore, the EDPB recommends that the FI SA remove th ese references and instead refer to the processing of personal data within the scope of the certification body’s certification activities . 2.4.2 Certification agreement Item 4.1.2 para. 2 no. 1 of the Requirements

¶23

Under i tem 4.1. 2 para. 2 no. 1 of the Requirements, the EDPB recommends replac ing “the Office of the Data Protection Ombudsman” with “any competent supervisory authority” to make it clear that the written certification agreement or the issuance of a certificate does not affect the tasks or powers of any competent supervisory authority (not just of the FI SA). 2.4.3 Management of impartiality Item 4.2 para. 2 of the Requirements

¶24

Under i tem 4.2 para. 2 of the Requirements, the “ certification body shall confirm that it has no relevant connections with the applicant for certification ”. In this regard, the EDPB encourages the FI SA to specify what type of connections are considered ‘relevant’. Such connections can , for example, be that : a. there are e conomic relationships between the certification body and the applicant that may affect the impartiality of the certification body’s certification activities, b. the certification body belongs to same company group or legal entity as the applicant , c. the applicant can exercise control over the certification body due to legal, contractual or factual circumstances , or, d. the certification body and the applicant are in a controller - processor relationship .

¶25

The relevant connections can be included either in the enacting terms of the Requirements, or given as guidance. 2.4.4 Liability and financing Item 4.3 of the Requirements

¶26

Under i tem 4.3 of the Requirements, certification bodies are required to ensure that they have appropriate measures in place to cover liabilit ies in the geographical regions in which they operate. The EDPB notes that it might vary how the territorial scope of legal obligations is designated in different legal systems. If appropriate for the Finnish legal system, the EDPB encourages the FI SA to include a reference to ‘jurisdictions’ in item 4.3 of the Requirements , to ensure that this requirement has a suff icient territorial coverage. 7 | Adopted 2.4.5 Organisational structure and top management Item 5. 1 of the Requirements

¶27

Under i tem 5.1 of the Requirements, “the certification body shall designate a contact person .” However, it is not clear whether the purpose of this contact point is for the benefit of competent SAs, clients or accreditation bodies. Therefore, the EDPB encourages the FI SA to clarify the purpose of the contact person. 2.4.6 Mechanisms for safeguarding impartiality Item 5.2 of the Requirements

¶28

Under i tem 5.2 of the Requirements, “ the certification body shall demonstrate to the accreditation body that it is independent in accordance with Article 43 (2) (a) and (e) of the GDPR and shall provide evidence that its duties and tasks do not lead to a conflict of interest . ” This requirement does not seem to add any substantive obligations for the certification body, in addition to what already follows from p. 5.2 of EN - ISO/IEC 17065 : 2012 . Therefore, the EDPB encourages the FI SA to either add substantive obligations to item 5.2 or to remove this requirement. 2.5 Resource requirements 2.5.1 Personnel of the certification body Item 6.1 para. 2 no . 1 of the Requirements

¶29

Under i tem 6.1 para. 2 no . 1 of the Requirements, personnel with technical expertise can show as evidence of expertise that they have obtained an EQF level 6 degree in i nformation t echnology , c omputer s cience or m athematics from a Finnish or foreign university . In this regard, t he EDPB recommends that the FI SA change the term ” foreign university” to ” university in another EEA member state” , to differentiate between universities within and outside the EEA. Along these lines , the EDPB recommends that the FI SA change the term ” foreign university” in the last sentence of i tem 6.1 para. 2 no . 1 of the Requirements to ” university outside the EEA” . Item 6.1 para. 3 no . 1 of the Requirements

¶30

Under item 6.1 para. 3 no of the Requirements, personnel with legal expertise can show as evidence of expertise that they have obtained a master’s degree in law from an EU or state - recognised university. Following the approach in p. 23 above, the EDPB recommends the FI SA to change this requirement to include universities in the EEA and not just the EU . The EDPB also recommends chang ing the term ” state - recognised university” to ” university outside the EEA recognised by the state” . 8 | Adopted 2.6 Process requirements 2.6.1 General Item 7. 1 para. 1 no . 2 of the Requirements

¶31

Under item 7. 1 para. 1 no. 2 of the Requirements, “ the accreditation body shall : notify the relevant competent data protection authority before the certification body starts operating or offering an approved European data protection seal in a new Member State from a satellite office” . The EDPB understands that this requirement to notify should be placed on the certification body and not the accreditation body. The EDPB therefore recommends that item 7. 1 para. 1 no. 2 is amended so that the accreditation body must “ e nsure that the certification body notifies …”. 2.6.2 Application Item 7.2 para. 1 no . 2 of the Requirements

¶32

Under item 7.2 para. 1 p. 2 of the Requirements, the application must include a specification of whether processors are used and a descri ption of responsibilities and tasks if the applicant is a processor . Concerning this requirement, the EDPB recommends includ ing an obligation for the applicant to include any controller - processor agreements that the applicant has entered into, within the scope of the target of evaluation . 2.6.3 Evaluation Item 7.4 para . 1 of the Requirements

¶33

Under item 7.4 para. 1 of the Requirements, “ the certification body shall describe in its certification mechanisms sufficient evaluation methods to assess whether the processing activities comply with the certification criteria; including e.g. the following where applicable ”.

¶34

The use of both “including”, “e.g.” and “where applicable” in the same sentence is very unclear. For example, if the intention of the FI SA is to make the numbered points under paragraph 1 an exhaustive or inexhaustive list of requirements, “e.g.” should be replaced by “but not limited to”. Therefore, the EDPB encourages the FI SA to clarify this requirement .

¶35

It seems that the use of the term “certification mechanisms” would not be accurate for certification activities where a certification body applies a certification mechanism operated by another certification scheme owner. Therefore, t he EDPB encourages the FI SA to remove the words “ describe in its certification mechanisms” with “ ensure that it has ” , to also cover situations where a certification body applies a certification mechanism operated by another certification scheme owner. Item 7.4 para. 5 of the Requirements

¶36

Under i tem 7.4 para. 5 of the Requirements, “ certification body shall have access to all necessary information in order to issue certification ”. This requirement seems to duplicate the obligation relating to the certification agreement, under item 4.1.2 p ara . 2 of the Requirements. To avoid duplication of requirements on the same subject - matter, the EDPB encourages the FI SA to remove item 7.4 para. 5 of the Requirements . 9 | Adopted Item 7. 5 para. 1 no. 2 of the Requirements

¶37

Under i tem 7.5 para. 1 no. 2 , the certification body shall “ confirm that the person designated to assess the information and conclusions referred to in paragraph 1 above was not (directly or indirectly) involved in the conformity assessment.” This requirement appears to duplicate the requirement of p. 7.5.1 of EN - ISO/IEC 17065 : 2012 . The EDPB therefore encourages the FI SA to either remove this requirement or further specify the requirement over and above what is already required by p. 7.5.1 of EN - ISO/IEC 17 065 : 2012 . 2.6.4 Certification documentation Item 7.7 para. 1 and para. 4 no. 1

¶38

Under item 7.7 para. 1, “the name of the target of evaluation (including similar designations or versions thereof) shall be indicated.” Under item 7.7 para . 4 no. 1, the certification body shall “identify, designate and clearly describe in the certification documents the target of the certification” . It appears that the essence and purpose of these two requirements is identical, but the wording of both is either unclear or not complete , as item 7.7 para. 1 does not specify who is required to fulfil the requirement and item 7.7 par a. 4 no. 2 does not include the wording contained in the Guidelines. In any event, the EDPB understands that the intention of the FI SA is to further specify p. 7.7.1.f of EN - ISO/IEC 17065 : 2012 , in line with the Guidelines.

¶39

The EDPB therefore recommends that the FI SA delete item 7.7 para. 1 and add further wording to item 7.7 para. 4 no. 1 , so that it reads “…identify, designate and clearly describe the target of evaluation (including similar designations or versions thereof) in the certification documentation”. 2.6.5 Directory of certified products Item 7.8 para. 5 of the Requirements

¶40

I tem 7.8 para. 5 of the Requirements states that “once a certificate has been issued, a copy of the certificate shall be issued to” the FI SA. However due to the use of passive language, it is not clear who needs to fulfil this requirement. Therefore, the EDPB encourages the FI SA to use active language and specify that it is the certification body that must fulfil this requirement. 2.6.6 Changes affecting certification Item 7.10 para. 1 no. 1 of the Requirements

¶41

Under item 7.10 para. 1 no. 1 of the Requirements, the certification body shall consider if infringements or personal data breaches established by the FI SA affect the certification . The Board is of the opinion that certification bodies shall consider if infringements or personal data breaches established by any competent SA affect the certification. Therefore, the Board recommends that the words “the Office of the Data Protection Om budsman” is replaced by “any competent supervisory authority”. 10 | Adopted Item 7.10 para. 1 no . 6 of the Requirements

¶42

Under item 7.10 para. 1 no. 6 of the Requirements, the certification body shall consider if court rulings on the protection of personal data affect the certification . In relation to this requirement, the EDPB encourages the FI SA to specify which court rulings are relevant , for example rulings of the C J EU, the EFTA court, the ECtHR or national courts of the EEA member states. Item 7.10 para. 1 no. 7 of the Requirements

¶43

Under item 7.10 para. 1 no. 7 of the Requirements, the certification body shall , when assessing changes affecting certification, take into account “technical and organisational developments, where technological developments have been taken into account in the issuance of a certificate.” In relation to this requirement, the EDPB encourages the FI SA to change this wording so that it reads “the state of the art of technical and organisational measures, where this was taken into account when issuing the certif icate.” 2.6.7 Termination, reduction, suspension or revocation of certification Item 7.11 para. 3 of the Requirements

¶44

The EDPB understands that item 7.11 para. 3 of the Requirements require s a Finnish certification body to deem that a certified entity does not or no longer fulfils the conditions for certification if: (i) the FI SA or a court finds that the certified entity has committed a serious breach of the GDPR or other legislation on the protection of personal data; or (ii) the certified entity has suffered a significant personal data breach.

¶45

Item 7.10 para. 1 p. 1 of the Requirements already requires certification bodies to consider infringements of data protection law as well as data breaches in relation to the ToE. In this regard, the explanatory note to p oint 7.10.2 of EN ISO/IEC 17065:2012 explains that changes “ affecting certification can include new information related to the fulfilment of certification requirements obtained by the certification body after certification has been established .” Accordingly, a certification body can find tha t a change of circumstances can lead to non - compliance with certification criteria. Since infringements of data protection law or data breaches would need to be assessed by the certification body under Item 7.10 para. 1 p. 1 of the Requirements, it seems that item 7.11 para. 3 of the Requirement is superfluous in so far as that requirement covers the ToE.

¶46

However , item 7.11 para. 3 of the Requirements is not limited to the ToE as it appl ies to all serious infringements of data protection law and significant data breaches. Regarding this , t he EDPB questions if it would be consistent with EN ISO/IEC 17065:2012 for a certification body to adopt a decision on non - conformity due to changes that do not relate to n or affect the ToE ( i.e. the processing operations that were evaluated or reviewed by the certification body ) . This is because a certification body should only consider what is within the scope of the certificate and not anything beyond that. While an infringement of data protection law or a data breach can affect the ToE, this might not always be the case. If a n infringement or data breach would not affect the ToE, it would be outside the scope of the certification body’s oversight to consider it . 11 | Adopted

¶47

For these reasons, the EDPB finds that item 7.11 para. 3 of the Requirements might lead to an inconsistent application of the accreditation requirements imposed on certification bodies in different Member States. Therefore, the EDPB recommends that the FI SA t remove item 7.11 para. 3 of the Requirements. 2.6.8 Complaints and appeals, Article 43(2)(d) GDPR Item 7.13 para. 6 of the Requirements

¶48

Item 7.13 para. 6 of the Requirements appears to duplicate the requirement in item 7.13 para. 1 no. 5. The EDPB therefore encourages the FI SA to delete item 7.13 para. 6. 3 Recommendations

¶49

The draft accreditation requirements of the FI SA may lead to an inconsistent application of the accreditation of certification bodies and the following changes need to be made .

¶50

Regarding ‘general requirements for accreditation’, the EDPB recommends that the FI SA: a. R emove references to the “target of evaluation” and instead refer to the processing of personal data within the scope of the certification body’s certification activities in item 4.1.1 paragraphs 2 - 3; and b. Replace “the Office of the Data Protection Ombudsman” with “any competent supervisory authority” in item 4.1.2 paragraph 2 no. 1.

¶51

Regarding ‘resource requirements’, the EDPB recommends that the FI SA: a. Replace the term “foreign university” with “university outside the EEA” in the last sentence of item 6.1 paragraph 2 no. 1; and b. Replace the term “state - recognised university” with “university outside the EEA recognised by the state” in item 6.1 paragraph 3.

¶52

Regarding ‘process requirements’, the EDPB recommends that the FI SA: a. A mend i tem 7.1 paragraph 1 no. 2 so that the accreditation body must “ensure that the certification body notifies… ” , to ensure that the requirement to n otify is placed on the certification body rather than the accreditation body; b. Include an obligation of the applicant to include in their application for certification any controller - processor agreements that the applicant has entered into within the scope of the target of evaluation in of item 7.2 paragraph 1 no. 2; c. Delete paragraph 1 of item 7.7 and adds further wording to of item 7.7 paragraph 4 no. 1 so that it reads “…identify, designate and clearly describe the target of evaluation (including similar designations or versions thereof) in the certification document ation”; d. Replace the words “the Office of the Data Protection Ombudsman” with “any competent supervisory authority” in item 7.10 paragraph 1 no. 1; and e. Delete item 7.11 paragraph 3. 12 | Adopted 4 Final remarks

¶53

This opinion is addressed to the FI SA and will be made public pursuant to Article 64(5)(b) GDPR.

¶54

According to Article 64(7) and (8) GDPR, the SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follo w the opinion of the EDPB , it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. The SA shall communicate the final decision to the EDPB for inclusion in the register of decisions which have been su bject to the consistency mechanism, in accordance with article 70(1)(y) GDPR. For the European Data Protection Board The Chair Anu Talus

Similar Content