Skip to content
Guidance · EDPB ·102024-on-the-draft-decision-of-the-competent EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 10/2024 on the draft decision of the competent supervisory authority of Sweden regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)

Summary

1 Adopted Opinion 10 / 2024 on the draft decision of the competent supervisory authority of Sweden regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) Adopted on 23 May 2024 2 Adopted Table of c ontents 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................…

How it connects

Full text 58 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶1

Adopted Opinion 10 / 2024 on the draft decision of the competent supervisory authority of Sweden regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) Adopted on 23 May 2024

¶2

Adopted Table of c ontents 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................ ................................ ................................ ..... 4

¶2.1

General reasoning of the EDPB regarding the submitted draft decision ................................ 4

¶2.2

Main points of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB Guidelines) that the accreditation requirements provide for the following to be assessed consistently: ........... 5

¶2.2.1

PREFIX ................................ ................................ ................................ .............................. 6

¶2.2.2

GENERAL REMARKS ................................ ................................ ................................ ......... 6

¶2.2.3

GENERAL REQUIREMENTS FOR ACCREDITATION ................................ ............................ 7

¶2.2.4

RESOURCE REQUIREMENTS ................................ ................................ ............................. 8

¶2.2.5

PROCESS REQUIREMENTS ................................ ................................ ................................ 9

¶2.2.6

MANAGEMENT SYSTEM REQUIREMENTS ................................ ................................ ..... 10

¶3

Conclusions / Recommendations ................................ ................................ ................................ . 11

¶4

Final Remarks ................................ ................................ ................................ ................................ 13 3 Adopted The European Data Protection Board Having rega rd to Article 63, Article 64 (1c ), (3) - (8) and Article 43 (3 ) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe aling Directive 95/46/EC (here after “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the Board is to ensure the consistent application of the Regulation 2016/679 (hereafter GDPR) throughout the European Economic Area . In compliance with Article 64 ( 1 ) GDPR, the Board shall issue an opinion where a supervisory authority (SA) intends to approve the requirements for the accreditation of certification bodies pursuant to Article 43. The aim of this opinion is therefore to create a harmonised approach with regard to the requirements that a data protection supervisory authority or the National Accreditation Body will apply for the accreditation of a certification body. Even though the GDPR does not impose a single set of requirements for accreditation , it does promote consistency. The Board seeks to achieve this objective in its opi nions firstly by encouraging SAs to draft their requirements for accreditation following the structure set out in the Annex to the EDPB Guidelines on accreditation of certification bodies , and , secondly by analysing them using a template provided by EDPB allowing the benchmarking of the requirements (guided by ISO 17065 and the EDPB guidelines on accreditation of certification bodies). (2) With reference to Article 43 GDPR, the competent supervisory authorities shall adopt accreditation requirements . They shall, however, apply the consistency mechanism in order to allow generation of trust in the certification mechanism , in particular by setting a high level of requirements . (3) While requirements for accreditation are subject to the consistency mechanism, t his does not mean that the requirements should be identical . The competent supervisory authorities have a margin of discretion with regard to the national or regional context and should take into account their local legislation. The aim of the EDPB opinion is not to reach a single EU set of requirement s but rather to avoid significant inconsistencies that may affect , for instance trust in the independence or expertise of acc redited certification bodies . (4) The “Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)” (hereinafter the “Guidelines”) , and “Guidelines 1/2018 on certification and identifying certification criteria in accordance with article 42 and 43 of the Regulation 2016/679” will serve as a guiding thread in the context of the consistency mechanism. (5) I f a Member State stipulates that the certification bodies are to be accredited by the supervisory authority, the supervisory authority should establish accreditation requirements including, but not 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. 4 Adopted limited to , the requirements detailed in Article 43 (2). In comparison to the obligations relating to the accreditation of certification bodies by national accreditation bodies, Article 43 provides fewer details about the requirements for accreditation when the supervisory authority conducts the accreditation itself. In the interests of contributing to a harmonised approach to accreditation, the accreditation requirements used by the supervisory authority should be guided by ISO/IEC 17065 and should be comp lemented by the additional requirements a supervisory authority establishes pursuant to Article 43 (1)(b). The EDPB notes that Article 43 (2)(a) - (e) reflect and specify requirements of ISO 17065 which will contribute to consistency. 2 (6) The opinion of the EDPB shall be adopted pursuant to Article 64 (1)(c), (3) & (8) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authori ty have decided that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE OPINION: 1 SUMMARY OF THE FACTS 1 The Swedish Supervisory Authority (hereinafter “ SE SA”) has submitted its draft accreditation requirements under Article 43 (1)(b) to the EDPB. The file was deemed complete on 11 March 2024 . The SE national accreditation body (NAB) will perform accreditation of certification bodies to certify using GDPR certification criteria. This means that the NAB will use ISO 17065 and the additional requirements set up by the SE SA , once they are approved by the SE SA, following an opinion from the Board on the draft requirements, to accredit certification bodies . 2 In compliance with article 10 (2) of the Board Rules of Procedure, due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eight weeks by a further six weeks . 2 ASSESSMENT 2.1 General reasoning of the EDPB regarding the submitted draft decision 3 The purpose of this opinion is t o a ssess the accreditation requirements developed by a SA, either in relation to ISO 17065 or a full set of requirements , for th e purposes of allowing a national accreditation body or a SA , as per article 43 (1) GDPR, to accredit a certification body responsible for issuing and renewing certification in accordance with article 42 GDPR . This is without prejudice to the tasks and powers of the competent SA. In this specific case, the Board notes that the S wedish national legislation instructs the NAB to issue accreditation of certification bodies pursuant to Article 43 GDPR, 3 having put 2 Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation , par. 39 Available at: https://edpb.europa.eu/our - work - tools/our - documents/retningslinjer/guidelines - 42018 - accreditation - certification - bodies en 3 Swedish Regulation 2018:219, para. 4 with complementary provisions to the GDPR (förordning med kompletterande bestämmelser till EU:s dataskyddsförordning).

¶5

Adopted togethe r r additional requirements in accordance with the Guidelines, which should be used by the NAB when issuing accreditation. 4 This assessment of SE SA’s additional accreditation requirements is aimed at examining on variations (additions or deletions) from the Guidelines and notably the ir Annex 1 . Furthermore, the EDPB’s Opinion is also focused on all aspects that may impact on a consistent approach regarding the accreditation of certification bodies. 5 It should be noted that the aim of the Guidelines on accreditation of certification bodies is to assist the SAs while defining their accreditation requirements. The Guidelines’ Annex does not constitute accreditation requirements as such. Therefore, the ac creditation requirements for certification bodies need to be defined by the SA in a way that enables their practical and consistent application as required by the SA’s context.

¶6

T he Board acknowledges the fact that, given their expertise, freedom of manoeuvre should be given to NABs when defining certain specific provisions within the applicable accreditation requirements . However , the Board considers it necessary to stress that, where any additional requirements are established, they should be defined in a way that enables their practical, consistent application and review as required.

¶7

The Board notes that ISO standards, in particular ISO 17065, are subject to intellectual property rights, and therefore it will not make reference to the text of the related document in this Opinion. As a result, the Board decided to, where relevant, point towards specific sections of the ISO Standard, without, however, reproducing the text .

¶8

Finally, the Board has conducted its assessment in line with the structure foreseen in An nex 1 to the Guidelines (hereinafter “Annex”) . Where this Opinion remain s silent on a specific section of the SE SA ’s draft accreditation requirements , it should be read as the Boar d not having any comments and not asking the SE SA to take further action.

¶9

This opinion does not reflect upon items submitted by the SE SA, which are outside the scope of article 43 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR, where required.

¶10

This Opinion of the Board does not take into account nor comments on the guidance included by the SE SA in the text of these draft accreditation requirements. 2.2 Main p oint s of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB G uidelines) that the accreditation requirements provide for the following to be assessed consistently: a. addressing all the key areas as highlighted in the Guidelines Annex and considering any deviation from the Annex. b. i ndependence of the certification body c. conflicts of interests of the certification body d. e xpertise of the certification body 6 Adopted e. appropriate safeguards to ensure GDPR certification criteria is appropriately applied by the certification body f. procedures for issuing, periodic review and withdrawal of GDPR certification; and g. t ransparent handling of complaints about infringements of the certification .

¶11

Taking into account that: a. Article 43 (2) GDPR provides a list of accreditation areas that a certification body need to address in order to be accredited; b. Article 43 (3) GDPR provides that the requirements for accreditation of certification bodies shall be approved by the competent Supervisory Authority ; c. Article 57 (1) (p) & (q) GDPR provides that a competent supervisory authority must draft and publish the accreditation requirements for certification bodies and may decide to conduct the accreditation of certification bodies itself ; d. Article 64 (1) (c) GDPR provides that the Board shall issue an opinion where a supervisory authority intends to approve the accreditation requirements for a certification body pursuant to Article 43(3) ; e. If accreditation is carried out by the national accreditation body in accordance with ISO/IEC 17065/2012, the additional requirements established by the competent supervisory authority must also be applied ; f. Annex 1 of the Guidelines on Accreditation of Certification foresee s suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a certification body by the National Accreditation Body ; the Board is of the opinion that: 2.2.1 PREFIX

¶12

The Board acknowledges the fact that t erms of cooperation regulating the relationship between a National Accreditation Body and its data pro tection supervisory authority are not a requirement for the accreditation of certification bodies per se . However, for reasons of completeness and transparency, the Board considers that such terms of cooperation, where existing, shall be made public in a format considered appropriate by the SA. 2.2.2 GENERAL REMARKS

¶13

The Board notices that the SE SA in their draft accreditation requirements name the Annex as “additional and supplemental requirements for accreditation of certification bodies”. The Board encourages the SE SA to clarify the difference between “supplementa l” and “additional” requirements within the text of the requirements for better readability. 7 Adopted

¶14

The Board notices that there is only one term defined in SE SA’s draft accreditation requirements (i.e. applicant). For better readability of the requirements, the Board encourages the SE SA to include a list of terms and definitions including the following: • Accreditation; • Certification; • Accreditation body; • Certification body; • Certification criteria; • Competent supervisory authority; • Client; • EDPB Guidelines on accreditation; • Target of evaluation.

¶15

In the same vein, the Board encourages the SE SA to replace the term “requirements” with the term “certification criteria” in section 4.6 (a) of the draft accreditation requirements and use such term consisten tl y throughout the requirements for accuracy purposes. 2.2.3 GENERAL REQUIREMENTS FOR ACCREDITATION

¶16

The Board notes in section 4.1.1.1 on “compliance with the GDPR” of the draft requirements, that the SE SA refers to the obligation of the certification body to have carried out a risk analysis and, where required an impact assessment. It is not entirely clear for the Board what these terms shall entail . Therefore, for clarity purposes , the Board recommends to clarify both terms in the requirements (e.g. whether the risk analysis is to the rights and freedoms of natural persons and if the referred impact assessment shall mean the data protection impact assessment provided by the GDPR).

¶17

With respect to section 4.1.2.2 of the draft accreditation requirements on the “content of the certification agreement”, the Board notices that one element mentioned in the Guidelines on the content of the certification agreement is missing from the SE SA’s draft accreditation requirements. More precisely, the SE SA’s draft accreditation requirements do not include section 4.1.2, para. 2 of the Guidelines, which concerns the requirement of the applicant to allow for full transparency to the competent superv isory authority regarding the certification procedure, including contractually confidential matters related to data protection pursuant to Article 42 (7) and 58 (1)(c) GDPR . Therefore, the Board recommends the SE SA to modify this requirement accordingly.

¶18

In section 4.1.2.2, the Board notes that the draft accreditation requirements define that the certification agreement shall require the applicant to comply with the requirements of the certification scheme. However, it is not required that the applicant shall also always comply with the criteria approved by the competen t supervisory authority or the EDPB in accordance with Article 43 (2)(b) and Article 42 (5) GDPR in line with sec tion 4.1.2 para graph 1 of the EDPB G uidelines . The Board recommends the SE SA to modify this requirement accordingly.

¶19

Similarly, the Board recommends the SE SA to include in the same section that the certification agreement shall include the obligation of the applicant to inform the certification body “in the event 8 Adopted of significant changes in its actual or legal situation and its products, processes and services concerned by the certification” in order to bring this draft requirement in line with the section 4.1.2 para. 10 of the Guidelines.

¶20

The Board notes that in section 4.1.2.2 (e) the SE SA refers to GDPR or “ supplementary legislations of the GDPR breaches that may affect the validity of the certificate ” . For clarity purposes, the Board encourages the SE SA to replace the “supplementary legislation of the GDPR” with “national laws”.

¶21

Furthermore, regarding section 4.1.2.3 on “information for the applicant” the Board recommends the SE SA to add in this section of the draft accreditation requirements, that the information to be provided to the applicant shall be documented in the certifi cation agreement.

¶22

In the same section, the Board notices that the draft accreditation requirements do not include section 4.1.2.3 paragraph 3 of the Guidelines , stating that the certification agreement shall not reduce the responsibility of the applicant for compliance with Regulation 2016/679/EC and is without prejudice to the tasks and powers of the supervisory authorities which are competent in line with Articl e 42 (5) GDPR . Along the same lines, the Board recommends the SE SA to modify this draft requirement to bring it line with the Guidelines.

¶23

With respect to section 4.2.3 of the SE SA’s accreditation requirements, the Board welcomes the explanations provided by the SE SA on how the impartiality of the certification body shall be ensured. However , and considering that the SE SA makes a reference to the conflict of interest in section 7.1 of the draft requirements , the Board recommends the SE SA to add to this draft requirement that the certification body’s “obligations and tasks do not lead to a conflict of interest pursuant to Article 43 (2)(e)” , to ensure consistency with the section 4.2 para. 1 of the Guidelines.

¶24

The Board welcomes in section 4.2.3(b) of the draft accreditation requirements on the management of impartiality of the certification body the reference to the fact that the “certification body may not be in a processor relationship with the applicant”. For completeness purposes, the Board recommends the SE SA to include in this require ment that the certification body may also not be in a joint - controller relationship with the applicant.

¶25

In section 4.2.3 of the draft accreditation requirements , the SE SA states that “ The certification body shall demonstrate the relationships, including financial relations that it has, or has had, with the applicant, in addition to the relationship arising from the application for certification ” . T he Board recommends the SE SA to modify this draft requirement, bringing it in line with the Guidelines, by adding that the certification body shall provide evidence of its independence in line with Article 43 (2)(a) GDPR and that “ this applies to evidence concerning the financing of the certif ication body in so far as it concerns the assurance of impartiality ” .

¶26

Moreover, in section 4.3.1 of the draft accreditation requirements, the Board recommends the SE SA, with respect to the obligations of the certification body to verify that it has taken all the measures to fulfil its obligations, that these measures are appropriate to cover its liabilities in the geographical regions or jurisdictions in which it operates in line with the section 4.3 of the Guidelines. 2.2.4 RESOURCE REQUIREMENTS

¶27

Regarding section 6.1.1.2 (v) of the SE SA’s draft accreditation requirements on “staff with legal competence” , the Board notices that the draft requirements are not entirely in line with section 6.1 of the Guidelines on the personnel’s knowledge and expertise . In order to ensure consistency , the 9 Adopted Board recommends the SE SA to align to the wording the Guidelines, by adding that the knowledge and expertise ha ve to be relevant and appropriate.

¶28

In the same section, the Board notes that the SE SA’s draft accreditation requirements narrow the applicability of the requirements on the certification body personnel to the staff responsible for evaluations (6.1.2.2 a) and to the personnel responsible for reviews and certification decisions (6.1.2.2 b). However, the certification body shall ensure that all its personnel has the relevant and appropriate competences as listed in para. 6.1 of the Guidelines, including the personnel in charge of making the review of applications . Therefore , the Board recommends the SE SA to align the resource requirements of the Certification body personnel with the section 6.1 of the Guidelines.

¶29

With regards to letter iv on “staff with technical competence” in the same section (6.1.1.2) of the draft accreditation requirements , the Board recommends the SE SA to align the wording of the requirements with the wording of the Guidelines, by adding that the work experience shall be “significant” instead of “sufficient”. Similarly, the Board recommends making the same modification in section 7.3.1 of the requirements .

¶30

With respect to the same section, ( letter b ) of the SE SA’s draft accreditation requirements , the Board notices that a reference is made to the personnel responsible for audits and to the personnel responsible for certification decision s . The Board recommends the SE SA to clarify the difference between “audits” and “ evaluation ” and to consider, if appropriate, replacing the term “audit” with the term “review” for consistency with the ISO standards terms used in section 7.5 .

¶31

Furthermore, in section 6.1.2.1 of the SE SA’s draft accreditation requirements, the Board is of the opinion that th e requirement according to which “the certification body shall take the requirements, set out in p. 7.4.10 below, into account when training personnel” can be perceived as restricting the concept of “continuous personal development” as provided in section 6.1 of the Guidelines. To this purpose, the Board encourages the SE SA to take this into account and redraft the requirement, ensuring that the continuous personal development is not limited to trainings.

¶32

Concerning section 6.2.2 of the SE SA’s draft accreditation requirements, the Board recommends the SE SA to include in the requirements the fact that if sub - contractors are used the certification body will retain the responsibility for the decision - making. 2.2.5 PROCESS REQUIREMENTS

¶33

As regards to section 7.4.6 of the draft requirements, the SE SA mentions that “ In addition to the requirements of point 7.4.6 of ISO/IEC 17065:2012, the certification body shall specify, taking the requirements of the certification scheme into account, when and how the applicant receives information on irregularities”. The Guidelines mention that “at least the nature and timing of such information should be defined ” . Therefore, the Board recommends the SE SA to clarify in the requirements that the term “ho w” includes the definition of the nature of the information.

¶34

With respect to section 7.4.9 of the draft accreditation requirements, the SE SA’s draft accreditation requirements mention that “the certification body shall, at request of IMY or any other SA provide all documentation from the evaluation [...]”. The EDPB Guidelines provide that “In addition to item 7.4.9 of ISO/IEC 17065/2012, it should be required that documentation be made fully accessible to the data protection supervisory authority upon request”. Therefore, the Board recommends the SE SA to bring this requirement in line with the Guidelines, modifying it accordingly. 10 Adopted

¶35

Furthermore, regarding the same section of SE SA’s draft accreditation requirements, it is mentioned that the certification body shall provide all the documentation from the evaluation , “with the exception of information where the disclosure of which may lead to financial harm of the applicant and which is not necessary for the exercise of powers, pursuant to Article 58 GDPR ” . Further, it is mentioned that “ if the certification body does not disclose information, it shall inform IMY, or any other competent authority, as soon as possible and justify its decision ” . The Board highlights that it is not the certification body that shall decide which information shall be provided to the SE SA. The Board thus recommends the SE SA to amend this requirement in order to clarify that the certification body shall send all the necessary information to the SE SA, also in line with the G uidelines, which provide for full accessibility of the documentation of the supervisory authority, upon latter’s request.

¶36

T he Board highlights that in section 7.6.1(b) it is not the certification term “name of certificate” that refers to the name of the certification scheme. Similarly, Board understands that the term “scope of the evaluation” corresponds to the scope of certification, as referred to section 7.8 (a) of the draft accreditation requirements. Thus, the Board encourages the SE SA to reflect these amendmen ts in the accreditation requirements .

¶37

Following, in section 7.7.1 of the draft accreditation requirements the SE SA refers to the fact that the version of the target of evaluation shall be indicated. According to the Guidelines, the certification body shall also provide the name of the target of evaluation. Thus, the Board recommends bringing this requirement in line with the Guidelines.

¶38

In the same section, the Board notices that the maximum period of validity is not indicated. The Board, in order to bring this requirement with the Guidelines, recommends the SE SA to modify this requirement, by including that the certification body shall ensure that the validity period of certifications does not exceed three years.

¶39

In section 7.9.5 of the SE SA’s draft accreditation requirements , the Board encourages the SE SA instead of referring only to the relevant provisions of the ISO standards, to also refer to Article 43 (2)(c), pursuant the relevant section of the Guidelines.

¶40

With respect to section 7.11.1 of the draft accreditation requirements , the Board notes that the SE SA inserted that “the notification shall be as soon as possible at the time of the decision of the certification body and shall indicate the steps that may be taken to obtain the certification again”. The Board is of the view that the notification to the competent supervisory authority shall be sent immediately , instead of as soon as possible, so it recommends the SE SA to strengthen this requirement by redrafting it accordingly in line with the Guidelines. 2.2.6 MANAGEMENT SYSTEM REQUIREMENTS

¶41

Regarding section to 8.1(2) of the draft accreditation requirements, the Board notes that the draft requirement to provide the document related to the implementation of the management principles at any time, and not only during the accreditation procedure, is missing. The Board encourages the SE SA to clarify that the provision of the documents can take place at any time , even after the accreditation is granted.

¶42

According to the Guidelines the certification body must make public permanently and continuously which certifications were carried out on which basis (or certification mechanisms or schemes), how long the certifications are valid under which framework and conditions (recital 100). Therefore , the 11 Adopted Board recommends that the SE SA requires that the management system ensures this , in line with the Annex, section 8, of the Guidelines.

¶43

With respect to section 8.1.2 (letter d) of the SE SA’s draft accreditation requirements , the Board notices that the management of procedures and in particular the fact that, according to the Guidelines (section 9.3.4) “the procedures in the event of suspension or withdrawal of the accreditation shall be integrated into the management system of the certification body, including notifications of customers” is only partially covered by section 8.1. 2 (letter d) of the draft requirements. Similarly, the obligation of the certification body to establish procedures for implementing appropriate proc edures and communication structures between the certification body and its customers is missing from the draft requirements. Therefore, the Board recommends the SE SA to modify the relevant requirement s , and make the necessary additions to bring them in line with the Guidelines. 3 CONCLUSIONS / RECOMMENDATIONS

¶44

The draft accreditation requirements of the Swedish Supervisory Authority may lead to an inconsistent application of the accreditation of certification bodies and the following changes need to be made

¶45

Regarding ‘general requirements for accreditation’, the Board recommends that the SE SA: 1) clarifies in the requirements clarify the terms “risk analysis” and “impact analysis” for clari t y purposes. 2) modifies the requirement 4.1.1.1 by including the obligation of the applicant to allow for full transparency to the competent supervisory authority regarding the certification procedure, including contractually confidential matters related to data protecti on pursuant to Article 42 (7) and 58 (1)(c). 3) modifies criterion 4.1.2.2 in order to include that the applicant shall also always comply with the criteria approved by the competent supervisory authority or the EDPB in accordance with Article 43 (2)(b) and Article 42 (5) GDPR in line with section 4.1.2 paragraph 1 of the EDPB Guidelines. 4) includes in the requirement 4.1.2.2 that the certification agreement shall include the obligation of the applicant to inform the certification body “in the event of significant changes in its actual or legal situation and its products, processes and servic es concerned by the certification”. 5) adds in the requirement 4.1.2.3 the fact that the information to be provided to the applicant shall be documented in the certification agreement. 6) modifies the requirement 4.1.2.3 in order to include that the certification agreement shall not reduce the responsibility of the applicant for compliance with the GDPR and is without prejudice to the tasks and powers of the supervisory authorities which are competent in line with Article 42 (5) GDPR. 7) adds in section 4.2.3 that the certification body’s obligations and tasks do not lead to a conflict of interest pursuant to Article 43 (2)(e). 8) for completeness purposes, adds in section 4.2.3(b) the that the certification body may also not be in a joint - controller relationship with the applicant. 12 Adopted 9) modifies section 4.2.3 in order to add the obligation of the certification body to provide evidence of its independence in line with Article 43 (2)(a) and that “this applies to evidence concerning the financing of the certification body in so far as it concerns the assurance of impartiality. 10) clarifies in section 4.3.1 that with respect to the obligations of the certification body to verify that it has taken all the measures to fulfil its obligations, that these measures are appropriate to cover its liabilities in the geographical regions or jurisdictions in which it operates in line with the section 4.3 of the Guidelines.

¶46

Regarding ‘resource requirements’, the Board recommends that the SE SA: 1) aligns section 6.1.1.2(v) on “staff with legal competence” with the Guidelines, by adding that the knowledge and expertise have to be relevant and appropriate. 2) align s the resource requirements of the c ertification body personnel with the section 6.1 of the Guidelines . 3) adds that the work experience shall be “significant” in section 6.1.1.2 and section 7.3.1, letter iv on “staff with technical competence”. 4) clarifies the difference between “audits” and “evaluation” and considers, if appropriate, replacing the term “audit” with the term “review” for consistency with the ISO standards terms used in section 7.5. 5) includes in section 6.2.2 the fact that if the certification body uses sub - processors, the certification body will retain the responsibility for the decision - making.

¶47

Regarding ‘process requirements’, the Board recommends that the SE SA: 1) clarifies in section 7.4.6 that when referring to the fact that the certification body shall specify “how” the applicant receives information on irregularities, the term “how” includes the definition of the nature of information. 2) modifies section 7.4.9 in order to ensure that the certification body will make fully accessible documentation, only to the SE SA, upon the latter’s request. 3) amends section 7.4.9 in order to clarify that the certification body shall send all the necessary information to the SE SA, without any ex c eptions. 4) amend section 7.7.1 in order to include that also the name of the target of evaluation shall be indicated by the certification body. 5) adds at section 7.7.1 that the certification body shall ensure the validity period of certifications does not exceed three years. 6) modifies the requirement 7.11.1 by indicating the notification to the competent supervisory authority shall be sent immediately, instead of as soon as possible.

¶48

Regarding ‘management system requirements’, the Board recommends that the SE SA: 1) requires that the management system ensures that the certification body must make public permanently and continuously which certifications were carried out on which basis 13 Adopted (or certification mechanisms or schemes), how long the certifications are valid under which framework and conditions (recital 100). 4 FINAL REMARKS

¶49

This opinion is addressed to the Swedish Supervisory Authority and will be made public pursuant to Article 64 (5 )( b) GDPR.

¶50

According to Article 64 (7) and (8) GDPR, the SE SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft list. Within the same period, it shall provide the amended draft list or where it does not intend to follow the op inion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 51. The SE SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Anu Talus )

Similar Content