Opinion 13/2021 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
1 Adopted Opinion 13 / 2021 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) Adopted on 23 March 2021 2 Adopted Table of c ontents 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................…
How it connects
Related across sources
Full text 60 sections
Adopted Opinion 13 / 2021 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) Adopted on 23 March 2021
Adopted Table of c ontents 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................ ................................ ................................ ..... 4
General reasoning of the EDPB regarding the submitted draft decision ............................... 4
Main points of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB Guidelines) that the accreditation requirements provide for the following to be assessed consistently: ........... 5
PREFIX ................................ ................................ ................................ ............................. 6
GENERAL REMARKS ................................ ................................ ................................ ......... 6
GENERAL REQUIREMENTS FOR ACCREDITATION ................................ ........................... 7
RESOURCE REQUIREMENTS ................................ ................................ ............................ 8
PROCESS REQUIREMENTS ................................ ................................ ............................... 8
FURTHER ADDITIONAL REQUIREMENTS ................................ ................................ ....... 11
Conclusions / Recommendations ................................ ................................ ................................ . 11
Final Remarks ................................ ................................ ................................ ............................... 12 3 Adopted The European Data Protection Board Having rega rd to Article 63, Article 64 (1c ), (3) - (8) and Article 43 (3 ) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe aling Directive 95/46/EC (here after “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the D ecision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the Board is to ensure the consistent application of the Regulation 2016/679 (hereaft er GDPR) throughout the European Economic Area . In compliance with Article 64.1 GDPR, the Board shall issue an opinion where a supervisory authority (SA) intends to approve the requirements for the accreditation of certification bodies pursuant to Article 43. The aim of this opinion is therefore to create a harmonised approach with regard to the requirements that a data protection supervisory authority or the National Accreditation Body will apply for the accreditation of a certification body. Even though t he GDPR does not impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective in its opinions firstly by encouraging SAs to draft their requirements for accreditation following the structure set out in the Annex to the EDPB Guidelines on accreditation of certification bodies, and, secondly by analysing them using a template provided by EDPB allowing the benchmarking of the requirements (guided by ISO 17065 and the EDPB guidelines on accredita tion of certification bodies). (2) With reference to Article 43 GDPR, the competent supervisory authorities shall adopt accreditation requirements . They shall, however, apply the consistency mechanism in order to allow generation of trust in the certifica tion mechanism , in particular by setting a high level of requirements . (3) While requirements for accreditation are subject to the consistency mechanism, t his does not mean that the requirements should be identical . The competent supervisory authorities have a margin of discretion with regard to the national or regional context and should take into account their local legislation. The aim of the EDPB opinion is not to reach a single EU set of requirement s but rather to avoid significant inconsistencies that may affect, for instance trust in the independence or expertise of accredited certification bodies . (4) The “Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Prot ection Regulation (2016/679)” (hereinafter the “Guidelines”) , and “Guidelines 1/2018 on certification and identifying certification criteria in accordance with article 42 and 43 of the Regulation 2016/679” will serve as a guiding thread in the context of the consistency mechanism. (5) If a Member State stipulates that the certification bodies are to be accredited by the supervisory authority, the supervisory authority should establish accreditation requirements including, but not 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. 4 Adopted limited to, the requireme nts detailed in Article 43(2). In comparison to the obligations relating to the accreditation of certification bodies by national accreditation bodies, Article 43 provides fewer details about the requirements for accreditation when the supervisory authorit y conducts the accreditation itself. In the interests of contributing to a harmonised approach to accreditation, the accreditation requirements used by the supervisory authority should be guided by ISO/IEC 17065 and should be complemented by the additional requirements a supervisory authority establishes pursuant to Article 43(1)(b). The EDPB notes that Article 43(2)(a) - (e) reflect and specify requirements of ISO 17065 which will contribute to consistency. 2 (6) The opinion of the EDPB shall be adopted pursuant to Article 64 (1)(c), (3) & (8) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authori ty have decided that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE OPINION: 1 SUMMARY OF THE FACTS 1 The Romanian supervisory authority (hereinafter “ RO SA”) has submitted its draft accreditation requirements under Article 43 (1)(b) to the EDPB. The file was deemed complete on 26 January 2021 . The RO national accreditation body (NAB) will perform accreditation of certification bo dies to certify using GDPR certification criteria. This means that the NAB will use ISO 17065 and the additional requirements set up by the RO SA, once they are approved by the RO SA, following an opinion from the Board on the draft requirements, to accred it certification bodies . 2 ASSESSMENT 2.1 General reasoning of the EDPB regarding the submitted draft decision 2 The purpose of this opinion is t o a ssess the accreditation requirements developed by a SA, either in relation to ISO 17065 or a full set of requirements , for th e purposes of allowing a national accreditation body or a SA , as per article 43(1) GDPR, to accredit a certification body responsible for issuing and renewing certification in accordance with article 42 GDPR . This is without prejudice t o the tasks and powers of the competent SA. In this specific case, the Board notes that the RO SA has decided to resort to its national accreditation body (NAB) for the issuance of accreditation , having put together additional requirements in accordance wi th the Guidelines, which should be used by its NAB when issuing accreditation. 3 This assessment of RO SA’s additional accreditation requirements is aimed at examining on variations (additions or deletions) from the Guidelines and notably the ir Annex 1 . Furt hermore, the EDPB’s 2 Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation , par. 39 Available at: https://edpb.europa.eu/our - work - tools/our - documents/ retningslinjer/guidelines - 42018 - accreditation - certification - bodies_en
Adopted Opinion is also focused on all aspects that may impact on a consistent approach regarding the accreditation of certification bodies. 4 It should be noted that the aim of the Guidelines on accreditation of certification bodies is to assis t the SAs while defining their accreditation requirements. The Guidelines’ Annex does not constitute accreditation requirements as such. Therefore, the accreditation requirements for certification bodies need to be defined by the SA in a way that enables t heir practical and consistent application as required by the SA’s context. 5 T he Board acknowledges the fact that, given their expertise, freedom of manoeuvre should be given to NABs when defining certain specific provisions within the applicable accreditat ion requirements. However, the Board considers it necessary to stress that, where any additional requirements are established, they should be defined in a way that enables their practical, consistent application and review as required.
The Board notes that ISO standards, in particular ISO 17065, are subject to intellectual property rights, and therefore it will not make reference to the text of the related document in this Opinion. As a result, the Board decided to, where relevant, point towards specific sections of the ISO Standard, without, however, reproducing the text .
Finally, the Board has conducted its assessment in line with the structure foreseen in An nex 1 to the Guidelines (hereinafter “Annex”) . Where this Opinion remain s silent on a specific section of the RO SA ’s draft accreditation requirements , it should be read as the Boar d not having any comments and not asking the RO SA to take further action.
This opinion does not reflect upon items submitted by the RO SA, which are outside the scope of article 43 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR, where r equired. 2.2 Main p oint s of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB Guidelines) that the accreditation requirements provide for the following to be assessed consistently: a. addressing all the key areas as highlighted in the Guidelines An nex and considering any deviation from the Annex. b. independence of the certification body c. conflicts of interests of the certification body d. expertise of the certification body e. appropriate safeguards to ensure GDPR certification criteria is appropriately applied by the certification body f. procedures for issuing, periodic review and withdrawal of GDPR certification; and g. transparent handling of complaints about infringements of the certification.
Taking into account that: 6 Adopted a. Article 43 (2) GDPR provides a list of accreditation areas that a certification body need to address in order to be accredited; b. Article 43 (3) GDPR provides that the requirements for accreditation of certification bodies shall be approved by the competent Supervisory Authority ; c. Article 57 ( 1 (p) & (q) GDPR provides that a competent supervisory authority must draft and publish the accreditation requirements for certification bodies and may decide to conduct the accreditation of certification bodies itself ; d. Article 64 (1) (c) GDPR provides th at the Board shall issue an opinion where a supervisory authority intends to approve the accreditation requirements for a certification body pursuant to Article 43(3) ; e. If accreditation is carried out by the national accreditation body in accordance with I SO/IEC 17065/2012, the additional requirements established by the competent supervisory authority must also be applied; f. Annex 1 of the Guidelines on Accreditation of Certification foresee s suggested requirements that a data protection supervisory authorit y shall draft and that apply during the accreditation of a certification body by the National Accreditation Body; the Board is of the opinion that: 2.2.1 PREFIX
The Board acknowledges the fact that terms of cooperation regulating the relationship between a National Accreditation Body and its data protection supervisory authority are not a requirement for the accreditation of certification bodies per se . However, f or reasons of completeness and transparency, the Board considers that such terms of cooperation, where existing, shall be made public in a format considered appropriate by the SA. 2.2.2 GENERAL REMARKS
The Board notes that the RO SA’s draft accreditation requirements do not include a section on the scope. In this regard, the Board considers that at least the relevant elements of the Annex should be added. In particular, it should be clear that GDPR certification is only applicable to processing operations and controllers and processors. In addition, the Board considers that the draft accreditation requirements should clearly state that the GDPR has precedence over ISO/IEC 17065/2012, as stated i n the Annex. The EDPB thus encourages the RO SA to amend the re quirements accordingly.
The Board notes that the requirements should be drafted in a prescriptive manner. Thus, the requirements should avoid the word “should” and rather use “shall” or “must”. The EDPB encourages the RO SA to make the necessary changes i n th is regard (e.g. in section s 4.1.1, 7.4, 7.6, 7.7, 7.8, 7.9, 7.11, 7.12, 7.13 ).
With regard to chapter 3 of the RO SA’s draft accreditation requirements, the Board notes that the reference to the WP 261 guidelines is outdated and should be replaced with a reference to the EDPB guidelines 4/2018 . The Board encourages the RO SA to make such amendment. 7 Adopted
In addition, the Board notes that the use of the terms “client” and “customer” are not clear in the text, especially considering that the definition under t he Annex and under ISO 17065 varies . In addition, some terms used in the requirements should be clarified (e.g. references to “certification subject” or “subject of the certification” and the references to “object of certification” are unclear; references to a “standard” in section 7.7 should clearly indicate it refers to the ISO 17065; the reference to “supervisory activities” in section 7.8 could be replaced by “monitoring” to avoid confusion instead of “monitoring” in section 7.8; the reference to “accre ditation procedure” in section 7.9 should be replaced by “accreditation validity” for the sake of clarity) . Thus, the Board encourages the RO SA to either include a section on definitions or clarify the terms used, and to ensure that clear and consistent wording is used thorough the document (for example, by replacing “opening” by “operating” in section 7.1 paragraph 2 ; amending the reference to “ the object of certification (including the object of certification/tar get of evaluation ” ) in section s 7.2 and 7.7.; replacing “the entire objective already certified” by “the entire object already certified” in the second to last paragraph of section 7. 4; and so on ).
In addition, the Board encourages the RO SA to ensure th at the requirements are drafted in a readable way and duplications or redundancies are avoided . In this regard, the Board notes that , for example, the first sentence of section 5.2 is confusing; the second sentence of section 5.2 is a repetition of ISO 170 65, the third paragraph of section 5.2 would read better if rephrased as “according to Chapters 5.1.1 and 5.2 ” ; the first sentence of the second paragraph in section 7.12 is redundant with the previous paragraph ; the first sentence of the second paragraph in section 7.3 is also redundant and, therefore, both paragraphs could be merged (e.g. the first sentence under section 7.3 could refer to “...binding evaluation methods with respect to the target of evaluation - and taking into account the data protection law applicable to the client - shall be laid down in the certification agreement”); and so on.
The Board notes that the requirements refer several times to “the competent SA”. In order to avoid confusion, and since the competent SA will generally be the RO SA, the Board encourages that such reference is replaced by “the RO SA” in the following sections: 4.1.1, 4.1.2, 4.2, 5.2, 7.1 first indent, 7.6, 7.10, 7.11 and 7.12. 2.2.3 GENERAL REQUIREMENTS FOR ACCREDITATION
The Board notes that point 9 of the section 4.1 .2 of the RO SA’s draft accreditation requirements (“certification agreement”) include the obligation to “ Establish the consequences for the customer of the certification body in the situation where the accreditation of the certification body was suspended or withdrawn and this has an impact on the client ”. In this regard, section 4.1.2 par. 9 of t he Annex e stablishes that the conseque nces for the customer in those cases shall be addressed . The Board understands that the intention of the RO SA is to ensure that the client is aware of the consequences in those situations and of the potential options or actions that can be taken. However, the Board considers that, in order to ensure that certification agreements accurately reflect not only the consequences and impact on the clients, but also the potential further actions, the RO SA’s accreditation requirements should make clear that simply stating the consequences without addressing the potential next steps won’t be sufficient. Thus, the EDPB encourages the RO SA to make clear that the customer should be aware of the consequences, the impact they have on them and the potential next steps th at may be taken.
With respect to section 4. 2 of the RO SA’s draft accreditation requirements ( “Management of impartiality” ) , the Board encourages the RO SA to provide examples of situations where a certification 8 Adopted body has no relevant connection with the c ustomer it assesses. For example, the certification body should not belong to the same company group nor should be controll ed in any way by the customer it assesses .
With regard to the publicly available information (section 4.6 of the RO SA’s draft accred itation requirements), the Board notes that the obligation includes the publication of “Individual incidents”. Based on the explanations provided by the RO SA, the Board understands that the intention is to refer to statistics or other type of anonymised i nformation and encourages the RO SA to clarify the requirement in this line. 2.2.4 RESOURCE REQUIREMENTS
As a general remark, t he Board considers that the expertise requirements for evaluators and decision - makers should be tailored taking into account the different tasks that they perform. In this regard, the Board is of the opinion that evaluators should have a more specialist ex pertise and professional experience in technical procedures (e.g. audits and certifications), whereas decision - makers should have a more general and comprehensive expertise and professional experience in data protection. Considering this, the Board encoura ges the RO SA to redraft this subsection taking into account the different substantive knowledge and/or experience requirements for evalu ators and decision - makers, rather than the years of experience.
With regard to technical and legal personnel responsibl e for decision - making, the Board notes that the documents referred are not suitable to demonstrate the required experience, since they relate to educational aspects. Thus, the EDPB recommends the RO SA to either delete the examples or provide examples that are fitting to the requirement, such as proof of professional experience, previous contracts, attestation by previous employers , etc .
With regard to technical and legal personnel in charge of evaluations, the EDPB notes that the required expertise may be evidenced with a series of documents, attesting the competencies required, “in so far as they are relevant”. Since qualifications attesting the competencies required will always be relevant, the EDPB encourages the RO SA to delete the abovementioned refere nce and to specify that the examples are suitable only to demonstrate the required expertise . 2.2.5 PROCESS REQUIREMENTS
With regard to section 7.1, second indent, of the RO SA’s draft accreditation requirements, the Board notes that the reference to the EU Dat a Protection Seal is not completely aligned with the Annex. In order to provide clarity, the Board encourages the RO SA to amend the requirements by including the reference to operating an approved EU Data protection Seal from a satellite office .
The Board notes that section 7.2 of the RO SA’s draft accreditation requirements (“application”) contains a reference to the controller/processor contract(s) and their specific arrangements. While acknowledging that the RO SA has used the wording of the A nnex, the Board encourages the RO SA to include a reference to joint controllers and their specific arrangements.
The Board notes that section 7.2 of the RO SA ’s draft accreditation requirements specify that “the controller and the processor have the righ t to apply for certification”. The possibility for processors to apply for certification will depend on the specific certification scheme. Therefore, in order to avoid 9 Adopted confusion, the Board encourages the RO SA to delete the reference above or to clarify th at the possibility for processors to be certified will depend on the scope of the certification scheme.
With regard to the second paragraph of section 7.3 (“application review), t he Board encourages the RO SA to replace the reference to section 7.3.1.b of ISO 17065 with section 7.3 of ISO 17065, in order to align the wording with the Annex.
With regard to section 7.4 of the RO SA’s draft accreditation requirements (“evaluation”), the Board notes that it does not include a specific reference to the use of ex ternal experts, as stated in the Annex. This possibility is, however, explicitly recognised in section 7.6 of the draft requirements (certification decision). Since external experts recognised by the certification body may be involved in the evaluation, th e Board encourages the RO SA to include there a specific reference to the use of external experts who have been recognised by the certification body. In addition, t he Board considers that the draft accreditation requirements should explicitly state that th e certification body will retain the responsibility for the decision - making, even when it uses external experts. Theref ore, the Board recommends the RO SA to amend the draft accordingly .
Concerning the sentence “ Recognition shall in any way require the availability of a complete evaluation report or information enabling an evaluation of the previous certification activity and its results”, the Board considers that it would be clearer to refer simply to “certificat ion” rather than “certification activity” and encourages the RO SA to amend the draft accordingly . Moreover, the reference to the “previous certification” could be confusing , since it does not clearly refer to the existing certification the certification b ody wants to take into account as part of its own evaluation. The Board encourages the RO SA to change the wording, in order to clarify that the reference is to the existing certification.
In addition, the Board considers that the rules applicable for the use of existing certifications are unclear, namely the interplay between the different certifications, the type of certifications accepted and the period of validity. Regarding the rules on the period of validity of the certificates (indent 4th under para graph 4), the Board considers that the procedure is unclear and the terms used should be clearly defined in order to understand to which certification the requirements refer to. The EDPB recommends the RO SA to clarify the rules for the use of existing cer tification in order to allow for a better understanding thereof.
In addition, indent 3rd under paragraph 4 refers to “other certifications” as a compliance factor to be considered. Based on the explanations provided by the RO SA, the Board understand s tha t the reference does not include certification s issued under the GDPR. The Board is of the view that non - GDPR certifications cannot be considered as a compliance factor under GDPR and, therefore, recommends the RO SA to delete the reference.
Regarding sec tion 7.6 of the RO SA’s draft accreditation requirements (“certification decision”), the Board considers that the procedure for informing the competent SA is not clear, in particular considering the specific deadline provided in the draft requirements , whi ch may lead to difficulties in practice . The Board encourages the RO SA to clarify the procedure.
In addition, the draft accreditation requirements include the obligation to submit written information to the RO SA prior to granting the certification. Based on the explanations provided by the RO SA, the Board understands that the intention is to increase transparency and it does not entail a supervision of the draft approval. The Board encourages the RO SA to includ e a clarification in that sense . 10 Adopted
The Board notes that paragraph 4 under section 7.6 of the RO SA’s draft accreditation requirements would be better placed after the first paragraph, since it further explains it. Thus, in order to avoid confusion, the EDPB encourages the RO SA to move the paragraph accordingly.
With regard to section 7.9 of the RO SA’s draft accreditation requirements (“Surveillance”), the Board welcomes the obligation to carry out the surveillance activities annually. In addition, the Board considers that the risks associated with the processing should be taken into account in order to determine whether a more frequent monitoring is necessary. Thus, the Board encourages the RO SA to include a risk - based approach in order to identify whether, in specific cases, the surveillance activities have to be carried out more than once per year.
With regard to section 7.10 of the RO SA’s draft accreditation requirements (“changes affecting certification”), the Board considers that changes in the state of art are also relevant and might affect certification. Therefore, the Board encourages the RO SA to include this possibility among the list of changes that might affect certification.
Regarding the reference to the “decisions of the European Data Protection Board”, the Board acknowledges that the RO SA has used the wording foreseen in Annex 1 However, in order to ensure a clear understanding of what is meant by “decisions of the European Data Protection Board”, the Board encourages the RO SA to clarify the reference. An example could be to refer to “documen ts adopted by the European Data Protection Board”.
Regarding paragraph 3 of section 7.10 (starting with “Beyond this, the CB defines...”), the EDPB notes that it is a repetition from section 7.4 of the RO SA’ draft accreditation requirements . The Board und erstands that this requirement, under section 7.10, is applicable to the changes. Thus, it should be drafted specifically to encompass that possibility. H ence, the EDPB encourages the RO SA to amend the reference by taking out the parenthesis and delete th e word ‘even’.
With regard to the last paragraph of section 7.10 of the RO SA’s draft accreditation requirements, the Board notes the obligation of the client to notify changes in the cases mentioned . Considering that the requirements are for accreditatio n of certification bodies, the Board underlines that it is the obligation of the certification body to take into account the changes notified by the client on the basis of item 7.10.2 ISO 17065, and encourages the RO SA to make such clarification.
With re gard to section 11 of the RO SA’s draft accreditation requirements (“Termination, reduction, suspension or withdrawal of certification”), the Board notes that the last part of the third paragraph is confusing: “ and which (non - compliance) cases constitute m easures in the first place.” In order to provide clarity, the Board encourages the RO SA to redraft the sentence.
With regard to section 7.12 of the RO SA’s draft accreditation requirements (“records”), the Board notes t h at the obligation to keep documentation complete, verifi able, up - to - date and auditable is tailored only to certification procedures completed without a positive result and to ongoing procedures. The Board recommends the RO SA to amend the draft in order to inclu de the procedures completed with a positive result.
Last paragraph of section 7.12 establishes that “ In addition to item 7.12.1 of EN - ISO/IEC 17065/2012, all records relating to the certification process shall be retained for further three years beyond th e period of validity of the certification and after the completion of the certification agreement. In the event of a dispute between the certification body and the client or the client and the competent data protection supervisory authority, this period ma y be extend beyond the validity period of the 11 Adopted certification until the end of this procedure .” The EDPB understands that the intention of the underlined sentence is to introduce the possibility to extend the three years until the dispute is settled. In orde r to clarify this, the EDPB encourages the RO SA to replace “end of procedure” with “dispute is settled”. 2.2.6 FURTHER ADDITIONAL REQUIREMENTS
The Board notes that the RO SA’s draft accreditation requirements do not include the obligation of the certification body to establish procedures to guide the updating of the evaluation methods , as stated in section 9.1 of the Annex . The EDPB recommends the RO SA to align the text with the Annex.
In addition, the Board notes that the obligation of the certification body to establish procedures to ensure the training of the employees with a view to updating their skills is missing, as per section 9.2 of the Annex . Whereas section 6.1 of the RO SA’s draft accreditation requirements makes reference to updating the skills of the personnel, it mentions the obligation of the personnel to demonstrate this update, but not the obligation of the certification body in this context. Thus, the EDPB recommends the RO SA to explicitly include the obligation of the certification body , in accordance with section 9.2 of the Annex .
The Board notes that the RO SA’s draft accreditation requirements do not include any of the elements of section 9.3.1 of the Annex (“communication between the certification body and its customers”) and recomme nds that such elements be included in the RO SA’s accreditation requirements.
Furthermore, t he Board understands that section 8 of the RO SA’s draft accreditation requirements partially covers the requirements under section 9.3.3 of the Annex , since it es tablishes that the management system shall specify a methodology for achieving and controlling the requirements in compliance with data protection regulations and for continuously checking them with the accredited body itself. However, the obligation to sh are relevant complaints and objections with the SA is missing , as per second paragraph of section 9.3.3 of the Annex . The EDPB recommend that such obligation be included.
Finally, the Board considers that s ection 9.3.4 of the Annex is missing in the RO SA ’s draft accreditation requirements , in particular the reference to notification to customers in the event of suspension or w ithdrawal of the accreditation. The Board recommends the RO SA to include the missing elements, in line with the Annex. 3 CONCLUSIONS / RECOMM ENDATIONS
The draft accreditation requirements of the Romanian Supervisory Authority may lead to an inconsistent application of the accreditation of certification bodies and the following changes need to be made:
Regarding ‘resource requirements’, the Board recommends that the RO SA: 1) either delete the examples or provide examples that are fitting to demonstrate the experience of the technical and legal personnel responsible for decision - making. 12 Adopted
Regarding ‘process r equirements’, the Board recommends that the RO SA: 1) explicitly state that the certification body will retain the responsibility for the decision - making, even when it uses external experts . 2) clarify the rules for the use of existing certification in order to allow for a better understanding thereof. 3) delete the reference to “other certifications” as a compliance factor to be considered. 4) amend section 7.12 in order to include the procedures completed with a positive result.
Regarding ‘ further additional require ments ’, the Board recommends that the RO SA: 1) include the obligation of the certification body to establish procedures to guide the updating of the evaluation methods, as stated in section 9.1 of the Annex . 2) explicitly include the obligation of the certifica tion body, in accordance with section 9.2 of the Annex. 3) include all the elements of section 9.3.1 of the Annex. 4) include the obligation to share relevant complaints and objections with the SA, as per second paragraph of section 9.3.3 of the Annex. 5) include t he missing elements of section 9.3.4 of the Annex 4 FINAL REMARKS
This opinion is addressed to the Romanian Supervisory Authority and will be made public pursuant to Article 64 (5 )( b) GDPR.
According to Article 64 (7) and (8) GDPR, the RO SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft list. Within the same period, it shall provide the amended draft list or where it does not intend to follow the op inion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 53. The RO SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jel inek)