# Opinion 30/2020 on the draft decision of the competent supervisory authority of Austria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)

- Type: Guidance
- Source: EDPB
- Identifier: opinion-302020-on-the-draft-decision-of-the-competent-en
- Date: 2020-12-07
- Original: https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-302020-on-the-draft-decision-of-the-competent_en
- Canonical: https://overview.legal/posts/126109
- Topics: Data Controller, Accountability, Codes of Conduct, Transparency, Certification, Supervisory Authorities, Supervision, European Cybersecurity Certification Schemes, Personal Data, Processing

## Summary

1 Adopted Opinion 30 /2020 on the draft decision of the competent supervisory authority of Austria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) Adopted on 07 December 2020 2 Adopted Table of c ontents 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................…

## Sections (58)

### ¶1

Adopted Opinion 30 /2020 on the draft decision of the competent supervisory authority of Austria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) Adopted on 07 December 2020

### ¶2

Adopted Table of c ontents 1 Summary of the Facts ................................ ................................ ................................ ..................... 4 2 Assessment ................................ ................................ ................................ ................................ ..... 4

### ¶2.1

General reasoning of the EDPB regarding the submitted draft decision ............................... 4

### ¶2.2

Main points of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB Guidelines) that the accreditation requirements provide for the following to be assessed consistently: ........... 5

### ¶2.2.1

GENERAL REMARKS ................................ ................................ ................................ ......... 6

### ¶2.2.2

GENERAL REQUIREMENTS FOR ACCREDITATION ................................ ........................... 7

### ¶2.2.3

RESOURCE REQUIREMENTS ................................ ................................ ............................ 8

### ¶2.2.4

PROC ESS REQUIREMENTS ................................ ................................ ............................... 9

### ¶2.2.5

MANAGEMENT SYSTEM REQUIREMENTS ................................ ................................ ..... 10

### ¶2.2.6

FURTHER ADDITIONAL REQUIREMENTS ................................ ................................ ....... 10

### ¶3

Conclusions / Recommendations ................................ ................................ ................................ . 11

### ¶4

Final Remarks ................................ ................................ ................................ ............................... 12 3 Adopted The European Data Protection Board Having rega rd to Article 63, Article 64 (1c ), (3) - (8) and Article 43 (3 ) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe aling Directive 95/46/EC (here after “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the D ecision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the Board is to ensure the consistent application of the Regulation 2016/679 (hereaft er GDPR) throughout the European Economic Area . In compliance with Article 64.1 GDPR, the Board shall issue an opinion where a supervisory authority (SA) intends to approve the requirements for the accreditation of certification bodies pursuant to Article 43. The aim of this opinion is therefore to create a harmonised approach with regard to the requirements that a data protection supervisory authority or the National Accreditation Body will apply for the accreditation of a certification body. Even though t he GDPR does not impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective in its opinions firstly by encouraging SAs to draft their requirements for accreditation following the structure set out in the Annex to the EDPB Guidelines on accreditation of certification bodies, and, secondly by analysing them using a template provided by EDPB allowing the benchmarking of the requirements (guided by ISO 17065 and the EDPB guidelines on accredita tion of certification bodies). (2) With reference to Article 43 GDPR, the competent supervisory authorities shall adopt accreditation requirements . They shall, however, apply the consistency mechanism in order to allow generation of trust in the certification mechanism , in particular by setting a high level of requirements . (3) While requirements for accreditation are subject to the consistency mechanism, t his does not mean that the requirements should be identical . The competent supervisory autho rities have a margin of discretion with regard to the national or regional context and should take into account their local legislation. The aim of the EDPB opinion is not to reach a single EU set of requirement s but rather to avoid significant inconsisten cies that may affect, for instance trust in the independence or expertise of accredited certification bodies . (4) The “Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)” (he reinafter the “Guidelines”) , and “Guidelines 1/2018 on certification and identifying certification criteria in accordance with article 42 and 43 of the Regulation 2016/679” will serve as a guiding thread in the context of the consistency mechanism. (5) I f a Member State stipulates that the certification bodies are to be accredited by the supervisory authority, the supervisory authority should establish accreditation requirements including, but not 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. 4 Adopted limited to, the requirements detailed in Article 43(2). In comparison to the obligations relating to the accreditation of certification bodies by national accreditation bodies, Article 43 provides fewer details about the requirements for accreditation when the supervisory authority conducts the accreditation itse lf. In the interests of contributing to a harmonised approach to accreditation, the accreditation requirements used by the supervisory authority should be guided by ISO/IEC 17065 and should be complemented by the additional requirements a supervisory autho rity establishes pursuant to Article 43(1)(b). The EDPB notes that Article 43(2)(a) - (e) reflect and specify requirements of ISO 17065 which will contribute to consistency. 2 (6) The opinion of the EDPB shall be adopted pursuant to Article 64 (1)(c), (3) & (8) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authori ty have decided that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE OPINION: 1 SUMMARY OF THE FACTS 1 The Austria supervisory authority (hereinafter “ AT SA”) has submitted its draft accreditation requirements under Article 43 (1)(b) to the EDPB. The file was deemed complete on 9 October 2020. The AT SA will perform accreditation of certification bodies to certify us ing GDPR certi fication criteria. 2 ASSESSMENT 2.1 General reasoning of the EDPB regarding the submitted draft decision 2 The purpose of this opinion is t o a ssess the accreditation requirements developed by a SA, either in relation to ISO 17065 or a full set of requirements , for th e purposes of allowing a national accreditation body or a SA , as per article 43(1) GDPR, to accredit a certification body responsible for issuing and renewing certification in accordance with article 42 GDPR . This is without prejudice to the tasks and p owers of the competent SA. In this specific case, the Board notes that the AT SA is tasked by national law to carry out the accreditation of certification bodies. To this end, the AT SA has developed a set of requirements specifically for accreditation of certification bodies. 3 This assessment of AT SA’s accreditation requirements is aimed at examining on variations (additions or deletions) from the Guidelines and notably the ir Annex 1 . Furthermore, the EDPB’s Opinion is also focused on all aspects that may impact on a consistent approach regarding the accreditation of certification bodies. 2 Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation , par. 39 Available at: https://edpb.europa.eu/our - w ork - tools/our - documents/retningslinjer/guidelines - 42018 - accreditation - certification - bodies_en

### ¶5

Adopted 4 It should be noted that the aim of the Guidelines on accreditation of certification bodies is to assist the SAs while defining their accreditation requirements. The Guide lines’ Annex does not constitute accreditation requirements as such. Therefore, the accreditation requirements for certification bodies need to be defined by the SA in a way that enables their practical and consistent application as required by the SA’s co ntext. 5 T he Board acknowledges the fact that, given their expertise, freedom of manoeuvre should be given to NABs when defining certain specific provisions within the applicable accreditation requirements. However, the Board considers it necessary to stres s that, where any additional requirements are established, they should be defined in a way that enables their practical, consistent application and review as required.

### ¶6

The Board notes that ISO standards, in particular ISO 17065, are subject to intellectual property rights, and therefore it will not make reference to the text of the related document in this Opinion. As a result, the Board decided to, where relevant, point towards specific sections of the ISO Standard, without, however, reproducing the text .

### ¶7

Finally, the Board has conducted its assessment in line with the structure foreseen in An nex 1 to the Guidelines (hereinafter “Annex”) . Where this Opinion remain s silent on a specific section of the AT SA ’s draft accreditation requirements , it should be re ad as the Boar d not having any comments and not asking the AT SA to take further action.

### ¶8

This opinion does not reflect upon items submitted by the AT SA, which are outside the scope of article 43 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR, where required. 2.2 Main p oint s of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB Guidelines) that the accreditation requirements provide for the following to be assessed consistently: a. addressing all the key areas as highlighted in the Guidelines Annex and considering any deviation from the Annex. b. independence of the certification body c. conflicts of interests of the certification body d. expertise of the certification body e. appropriate safeguards to ensure GDPR certification criteria is appropriately applied by the certification body f. procedures for issu ing, periodic review and withdrawal of GDPR certification; and g. transparent handling of complaints about infringements of the certification.

### ¶9

Taking into account that: a. Article 43 (2) GDPR provides a list of accreditation areas that a certification body need to address in order to be accredited; 6 Adopted b. Article 43 (3) GDPR provides that the requirements for accreditation of certification bodies shall be approved by the competent Supervisory Authority ; c. Article 57 (1) (p) & (q) GDPR provides that a competent superviso ry authority must draft and publish the accreditation requirements for certification bodies and may decide to conduct the accreditation of certification bodies itself ; d. Article 64 (1) (c) GDPR provides that the Board shall issue an opinion where a superviso ry authority intends to approve the accreditation requirements for a certification body pursuant to Article 43(3) ; e. If accreditation is carried out by the national accreditation body in accordance with ISO/IEC 17065/2012, the additional requirements establ ished by the competent supervisory authority must also be applied; f. Annex 1 of the Guidelines on Accreditation of Certification foresee s suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a certification body by the National Accreditation Body; the Board is of the opinion that: 2.2.1 GENERAL REMARKS

### ¶10

The Board acknowledges that, as explained by the AT SA, the AT SA’s draft requirements are drafted following the procedural requirements of Austrian law. Nonetheless, the Board encourages the AT SA to follow the structure and titles of the Annex, to the extent possible under national law.

### ¶11

The Board acknowledges that the AT SA’s draft accreditation requirements include a section on terms and definitions. However, some of the terms are not used consistently throughout the document (e.g. “conformity assessment” instead of “Certification” in section 7.1.2; “the persons entrusted with the certification procedure” instead of “evaluators” in section 7.5; the reference to “the data protection authority” instead to the “AT SA”...). The Board encourages the AT SA to ensure that the terms used are consistent.

### ¶12

The Board notes that the requirements should be drafted in a prescriptive manner. Thus, the requ irements should avoid the word “should” and rather use “shall” or “must”. The EDPB encourages the AT SA to make the necessary changes in this regard (e.g. in section 10(1)).

### ¶13

The Board acknowledges the specific nature of the explanatory note provided by th e AT SA. However, the Board considers that some of the explanations in the explanatory should rather be included in the text of the ordinance. In particular, the Board recommends the AT SA to make the following changes in this regard: inclusion in section 9(2)(7) the reference to the tasks and powers of the SA; inclusion in section 8(2) of the references to the EU Seal; with regard to section 9.3.1 of the Annex, the ordinance should include the obligations regarding the communication with the certification petitioners and holders, added in the explanatory note; the ordinance should also include the information related to section 9.3.4 of the Annex; section 19 should clearly include the obligation of the certification body to disclose to the SA the managemen t principles and their documented implementation; section 11 should include the information in relation with previous certification (page 6, “para. 2” of the explanatory notes). 7 Adopted 2.2.2 GENERAL REQUIREMENTS FOR ACCREDITATION

### ¶14

Concerning the requirement of legal re sponsibility, the Board notes that, in the supporting document, the AT SA explain that the obligation of the certification body to comply with the GDPR stems from the GDPR itself and, therefore, there’s no need to add further requirements on that regard. H owever, the Board considers that the obligation of the certification body to comply with the GDPR and with the accreditation requirements should be included in the ordinance . In fact, as established in section 4.1.1 of the Annex to the Guidelines, certific ation bodies shall have up to date procedures that demonstrate compliance with the legal responsibilities set out in the terms of accreditation. Moreover, the certification body shall be able to demonstrate evidence of GDPR compliant procedures and measure s specifically for controlling and handling of client organisation’s personal data as part of the certification process. Therefore, the Board recommends the AT SA to amend the draft requirements in order to align them with the Guidelines.

### ¶15

Regarding the man agement of impartiality, section 5.2 of the AT SA’s draft requirements establish that a certification body won’t be impartial “ if a contractual relationship exists between the certification body and the certification petitioner or holder in the sense of Art. 26(1) second sentence or Art. 28(3) GDPR”. The Board considers that this does not include other situations in which the inde pendence of the certification body may be compromised. In this regard, the Board notes that any type of economic or organisational relation between the certification body and the legal entity, depending on its features, may affect the impartiality of its c ertification activities. For example , the certification body should not belong to the same company group nor should be controlled in any way by the customer it assesses. Therefore, the Board recommends that the draft requirements are amended in order to cl arify that any type of economic relation between the certification body and the legal entity, depending on its features, may affect the impartiality of its certification activities .

### ¶16

With regard to section 8(7) of the AT SA’s ordinance, the Board considers that the publicly available information should also include all versions of the criteria under art. 42(5) GDPR and encourages the AT SA to add such clarification.

### ¶17

The Board considers that section 9 (“certification agreement”) of the AT SA’s ordinance doe s not cover all the elements of section 4.1.2 of the Annex. In particular, the Board notes that the following points of the Annex are missing: point 2 ( to require the applicant to allow full transparency to the competent supervisory authority with respect to the certification procedure including contractually confidential matters) and 7 ( to allow the certification body to disclose [to the SA] all information necessary for granting certification pursuant to Articles 42(8) and 43(5)). Thus, the EDPB recommend s that the AT SA include the abovementioned elements.

### ¶18

With regard to section 9(2)(1), the Board notes that the reference to the deadlines is limited to those “specified in the certification requirements” , whereas section 4.1.2, 5th indent of the Annex is broader and also include the obligation to comply with procedures. Thus, the EDPB encourages the AT SA to redraft the wording in order to refer to deadlines in a general manner and include a reference to the applicable procedures, in line with the Annex.

### ¶19

In addition, the Board notes that, according to the Annex, the applicant has to inform the certification body of significant changes in its actual or legal situation and in its products, processes and services concerned by the certification (10th indent in section 4.1.2 of the Annex). However, section 9(2)(4) of the AT SA’s draft requirements only refer to significant changes, without adding any further 8 Adopted specification. The Board encourages the AT SA to specify that the significant changes relate to “its ac tual or legal situation and in its products, processes and services c oncerned by the certification”.

### ¶20

The EDPB notes that, i n accordance with section 4.1.2, 6 th ident of the annex, the certification agreement should contain the rules for validity, renewal and withdrawal, and the rules setting the interval s for re - evaluation or review. Section 9(2)(5) of the AT SA’s ordinance include a reference to the obligations of th e client in that regard , but not to the above - mentioned rules. Thus, the EDPB recommends the AT SA to include the reference, in line with the Annex.

### ¶21

The Board notes that section 9(2)(7) seems to reflect the requirement of section 4.1.2, 3rd indent of the A nnex regarding the responsibility of the applicant to comply with the GDPR. However, some clarification would be beneficial. Thus, the Board encourages the AT SA to clarify the wording, in order to align it with the Annex.

### ¶22

With regard to section 14(2) of the ordinance, the EDPB notes that it does not include the obligation to only use certificates, seals and marks in compliance with Article 42 and 43 and the guidelines on accreditation and certification, in line with the Annex. The EDPB recommends that th e AT SA amend the draft accordingly. 2.2.3 RESOURCE REQUIREMENTS

### ¶23

With regard to the expertise of the certification body (section 7 of the AT SA’s draft accreditation requirements), the Board considers that points 2 and 3 of section 6.1 of the Annex are not covered. Thus, the Board recommends the AT SA to amend the draft accordingly, so as to include the missing elements.

### ¶24

Regarding the educational requirements for personnel with technical expertise, the Annex refers to “a qualification in a relevant area of technical expertise to at least EQF level 6 or a recognised prot ected title (e.g. Dipl. Ing.) in the relevant regulated profession ”. However, there is no reference to the underlined sentence in section 7(3) of the AT SA’s draft accreditation requirements. Taking into account the variety in the educational systems, the Board recommends that the AL SA’s draft requirements be aligned with the wording of the Annex, taking into account the specific educational system and requirements established in national law. For example, the requirements could refer to an “equivalent voc ational education enjoying a recognised protected title in the Member State where it was issued”.

### ¶25

In addition, the Board considers that the list of subjects is already tailored to the technical expertise required by the Annex. Therefore, the Board encourag es the AT SA to delete the reference to “natural sciences” from the list of subjects regarding the educational requirements of the technical personnel.

### ¶26

With regard to the decision - makers, section 7.6 establishes that they should have experience in technica l data protection law. This specific reference is more suitable for evaluators than for decision - makers. In fact, t he Board considers that the expertise requirements for evaluators and decision - makers should be tailored taking into account the different ta sks that they perform. In this regard, the Board is of the opinion that evaluators should have a more specialist expertise and professional experience in technical procedures (e.g. audits and certifications), whereas decision - makers should have a more gene ral and comprehensive expertise and professional experience in data protection. 9 Adopted Considering this, the Board encourages the AT SA to redraft the requirements taking into account the different substantive knowledge and/or experience requirements for evaluato rs and decision - makers. 2.2.4 PROCESS REQUIREMENTS

### ¶27

With regard to section 8(1)(2) (“Certification procedure”), the Board notes that the ordinance requires that the application for certification include “details of the certification applied for”. The EDPB consi ders that this wording should be complemented in accordance with the Annex, in order to specify the details that should be included. In this regard, section 7.2.1 of the Annex refers to the object of certification (ToE) but also to “interfaces and transfer s to other systems and organizations, protocols and other assurances”. Thus, the EDPB encourages the AT SA to include the details mentioned in the Annex.

### ¶28

With regard to s ection 8(1)(3) , the Board notes that the ordinance refers to the joint - controllership and the use of processors. In this regard, the EDPB encourages the AT SA to specify that the information on the processors/joint controllers should include a description of their responsibilities and tasks, and that the application shall contain the relev ant contracts or arrangements .

### ¶29

With regard to the obligation to lay down in the certification agreement binding evaluation methods with respect to the Target of Evaluation (ToE), stablished in section 7.3, 1st indent of the Annex, the Board notes that se ction 9(2)(10) of the ordinance only refers to “evaluation methods”. The Board encourages the AT SA to clarify that they are binding.

### ¶30

With regard to s ection 10 of the ordinance (“Change in certification agreements”) , the Board considers that the wording is not sufficiently clear as to the kind of changes referred. Following further explanations provided by the AT SA, the Board understands that the intention is to refer to changes that might affect certification. Thus , having in mind the need to preserve the impartiality of the certification body, the Board encourages the AT SA to reformulate the requirements in order to make clear that the changes referred are those that might affect certification and to clarify that the client is provided, in a timely manner, with general information on changes that might affect its certification”.

### ¶31

In addition, the Board observes that there is no reference to the change procedures to be agreed, as per section 7.10 of the Annex. The B oard encourages the AT SA to include such reference and mention some of the procedures that could be put in place (e.g. transition periods, approvals process with the competent SA...). Additionally, the Board considers that changes in the state of art are also relevant and might affect certification. Therefore, the Board encourages the AT SA to include this possibility among the list of changes affecting certification.

### ¶32

With regard to section 11 of the ordinance (“Evaluation”), the Board notes that some ele ments of section 7.4 Annex are not included. In particular, the Board considers that the AT SA’s draft requirements should include the obligation of the certification body to set out in detail in its certification mechanism how the information required in item 7.4.6 SO/IEC 17065/2012 informs the certification applicant about nonconformities from a certification mechanism (5th paragraph of section 7.4 Annex). Thus, the Board recommends the AT SA to include such obligation.

### ¶33

In addition, the Board considers t hat point 11(1) should not only refer to point 7.4 ISO/IEC 17065:2012. For example, the requirement could say “in addition to point 7.4 ISO/IEC 17065:2012...” Moreover, the Board considers that the explanatory note should include all the elements listed in point 7.4 Annex. The Board encourages the AT SA to amend the draft accordingly. 10 Adopted

### ¶34

The Board notes that the obligation to have procedures for the granting, regular review and revocation of the respective certifications pursuant to Article 43(2) and 43(3) ( section 7.5 Annex) is not included in the AT SA’s draft requirements. Thus, the EDPB recommends that the AT SA include it.

### ¶35

With regard to section 13(1), the EDPB encourages the AT SA to include a reference to the GDPR and the certification criteria approv ed by an SA.

### ¶36

With s ection 13.4 (“certification decision”), the Board notes that the ordinance does not include the elements of the first two paragraphs of section 7.7 Annex , although the explanatory note for section 9.2.3 establishes that the certification can be granted for a maximum period of three years. The Board considers that these requirements should be in the text of the ordinance and recommends the AT SA to amend th e draft ordinance in order to include the information.

### ¶37

Regarding section 15(1) (“ Directory of certified products”), the Board acknowledges the inclusion of the obligation of the certification body to keep a directory of certified products. However, as sta ted in section 7.8 Annex, t he information on certified products, processes and services shall be internally and publicly available. The EDPB recommends the AT SA to amend the draft accordingly.

### ¶38

The Board also notes that section 15(3) includes the obligati on of the certification body to provide the SA on request with the complete directory. However, the requirements should also include the obligation of the certification body to inform the competent SA of the reasons for granting or revoking the requested c ertification. The Board recommends that the AT SA amend the draft accordingly.

### ¶39

Regarding the obligation to inform the SA of the reasons for the termination, reduction, suspension or withdrawal of a certification (section 17(2) of the ordinance), the Board encourages the AT SA to clarify that the information should be provided in writing.

### ¶40

With regard to section 18(2)(2) of the ordinance, the Board acknowledges the inclusion of details on “any incompatibility arrangements”. The Board understands that this reference intends to address the obligation of the certification body to define how separation between certification activities and the handling of appeals and complaints is ensured (section 7.13 Annex). However, the Board considers that the wording of the Annex is clearer and encourages the AT SA to amend the wording in that line . 2.2.5 MANAGEMENT SYSTEM REQUIREMENTS

### ¶41

With regard to section 9(2)(9)(a) of the ordinance, the Board notices the reference to a catalogue of measures for dealing with complaints. The B oard considers that the wording of the Annex (section 4.1.2, 8th indent) is more comprehensive since it refers to the structure and procedure for complaint management. The Board encourages the AT SA to amend the draft accordingly. 2.2.6 FURTHER ADDITIONAL REQUIR EMENTS

### ¶42

The Board considers that some elements of sections 9.3.1 and 9. 3.3 Annex are missing. In particular, the following information should be added: with regard to section 9.3.1 Annex, the ordinance should include the elements related to the appropriate procedures and communication structures , in particular, the obligation to maintain documentation of tasks and responsibilities by the certification body and to maintain an application process for the purpose of evaluation by the SA . In addition, section 9( 2)(11) of the ordinance only refers to communication structures , whereas it should refer to communication structures and procedures , in accordance with the Annex. With regard to section 9.3.3 Annex , the ordinance should include the obligation of the certification body to share relevant 11 Adopted complaints and objections with the SA. The Board recommend s the AT SA to amend the draft requirements accordingly. 3 CONCLUSIONS / RECOMM ENDATIONS

### ¶43

The draft accreditat ion requirements of the AT Supervisory Authority may lead to an inconsistent application of the accreditation of certification bodies and the following changes need to be made:

### ¶44

Regarding ‘general remarks’, the Board recommends that the AT SA: 1) make the nece ssary changes so as to include in the text of the ordinance some of the explanations in the explanatory note, as specified in paragraph 13 of this Opinion.

### ¶45

Regarding ‘general requirements for accreditation’, the Board recommends that the AT SA: 2) amend the draft requirements in order to include in the ordinance the obligation of the certification body to comply with the GDPR and with the accreditation requirements ; and the obligation of the certification body to demonstrate evidence of GDPR compliant procedu res and measures specifically for controlling and handling of client organisation’s personal data as part of the certification process. 3) clarify that any type of economic relation between the certification body and the legal entity, depending on its feature s, may affect the impartiality of its certification activities 4) include in section 9 all the elements of section 4.1.2 Annex, particularly points 2 and 7 5) add the obligation to include, in the certification agreement, the rules for validity, renewal and withdrawal, and the rules setting the intervals for re - evaluation or review . 6) amend section 14(2) in order to include the obligation to only use certificates, seals and marks in compliance with Article 42 and 43 and the guidelines on accreditation and certification, in line with the Annex .

### ¶46

Regarding ‘resource requirements’, the Board recommends that the AT SA: 1) include the obligations of points 2 and 3 of section 6.1 of the Annex 2) align the wording regarding the education requirements for personnel with t echnical expertise with the Annex, taking into account the specific educational system and requirements established in national law.

### ¶47

Regarding ‘process requirements’, the Board recommends that the AT SA: 1) include the missing elements from section 7.4 Annex , in particular the obligation of the certification body to set out in detail in its certification mechanism how the information required in item 7.4.6 SO/IEC 17065/2012 informs the certification applicant about nonconformities from a certification mechani sm . 2) include the obligation to have procedures for the granting, regular review and revocation of the respective certifications pursuant to Article 43(2) and 43(3) (section 7.5 Annex) . 3) include in the ordinance the elements of the first two paragraphs of sec tion 7.7 Annex . 12 Adopted 4) specify, in section 15(1), that t he information on certified products, processes and services shall be internally and publicly available . 5) include the obligation of the certification body to inform the competent SA of the reasons for grantin g or revoking the requested certification.

### ¶48

Regarding ‘ further additional requirements’ , the Board recommends that the AT SA: 1) include the missing elements of sections 9.3.1 and 9.3.3 Annex . 4 FINAL REMARKS

### ¶49

This opinion is addressed to the Austrian Supervisory Authority and will be made public pursuant to Article 64 (5 )( b) GDPR.

### ¶50

According to Article 64 (7) and (8) GDPR, the AT SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft list. Within the same period, it shall provide the amended draft list or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 51. The AT SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)

---
Generated by overview.legal · https://overview.legal/posts/126109 · 2026-07-17
