Skip to content
Guidance · EDPB ·152020-on-the-draft-decision-of-the-competent EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 15/2020 on the draft decision of the competent supervisory authorities of Germany regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)

Summary

Adopted Opinion 15 /2020 on the draft decision of the competent supervisory authorities of Germany regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) Adopted on 25 May 2020 2 Adopted Table of c ontents 1 SUMMARY OF THE FACTS ................................ ................................ ................................ ............... 4 2 ASSESSMENT ................................ ................................…

How it connects

Full text 53 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶0

25 May 2020 2 Adopted Table of c ontents

¶1

SUMMARY OF THE FACTS ................................ ................................ ................................ ............... 4

¶2

ASSESSMENT ................................ ................................ ................................ ................................ ... 4

¶2.1

General reasoning of the EDPB regarding the submitted draft decision ................................ 4

¶2.2

Main points of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB Guidelines) that the accreditation requirements provide for the following to be assessed consistently: ........... 5

¶2.2.1

PREFIX ................................ ................................ ................................ .............................. 6

¶2.2.2

TERMS AND DEFINITIONS ................................ ................................ ................................ 6

¶2.2.3

GENERAL REMARKS ................................ ................................ ................................ ......... 6

¶2.2.4

GENERAL REQUIREMENTS FOR ACCREDITATION (Chapter 4 of the draft accreditation requirements) ................................ ................................ ................................ ................................ . 7

¶2.2.5

RESOURCES REQUIREMENTS (Chapter 6 of the draft accreditati on requirements) ....... 8

¶2.2.6

PROCESS REQUIREMENTS (Chapter 7 of the draft accreditation requirements) ............ 9

¶2.2.7

FURTHER ADDITIONAL REQUIREMENTS ................................ ................................ ........ 11

¶3

CONCLUSIONS / RECOMMENDATIONS ................................ ................................ ......................... 11

¶4

FINAL REMARKS ................................ ................................ ................................ ............................ 12 3 Adopted The European Data Protection Board Having rega rd to Article 63, Article 64 (1c ), (3) - (8) and Article 43 (3 ) of the Regulation 2016/679/EU of the European Parliament and of the Counci l of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repe aling Directive 95/46/EC (here after “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the Board is to e nsure the consistent application of the Regulation 2016/679 (hereafter GDPR) throughout the European Economic Area . In compliance with Article 64.1 GDPR, the Board shall issue an opinion where a supervisory authority (SA) intends to approve the requirement s for the accreditation of certification bodies pursuant to Article 43. The aim of this opinion is therefore to create a harmonised approach with regard to the requirements that a data protection supervisory authority or the National Accreditation Body wil l apply for the accreditation of a certification body. Even though the GDPR does not impose a single set of requirements for accreditation , it does promote consistency. The Board seeks to achieve this objective in its opinions firstly by encouraging SAs t o draft their requirements for accreditation following the structure set out in the Annex 1 to the EDPB Guidelines 4/2018 on accreditation of certification bodies , and , secondly by analysing them using a template provided by EDPB allowing the benchmarking of the requirements (guided by ISO 17065 and the EDPB guidelines on accreditation of certification bodies). (2) With reference to Article 43 GDPR, the competent supervisory authorities shall adopt accreditation requirements . They shall, however, apply the consistency mechanism in order to allow generation of trust in the certification mechanism , in particular by setting a high level of requirements . (3) While requirements for accreditation are subject to the consistency mechan ism, t his does not mean that the requirements should be identical . The competent supervisory authorities have a margin of discretion with regard to the national or regional context and should take into account their local legislation. The aim of the EDPB o pinion is not to reach a single EU set of requirement s but rather to avoid significant inconsistencies that may affect , for instance trust in the independence or expertise of accredited certification bodies . (4) The “Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)” (hereinafter the “Guidelines”) , and “Guidelines 1/2018 on certification and identifying certification criteria in accordance with article 42 and 43 of the Regulation 2016/679” will serve as a guiding thread in the context of the consistency mechanism. (5) I f a Member State stipulates that the certification bodies are to be accredited by the supervisory authority, the supervisory authority should establish accreditation requirements including, but not 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”. 4 Adopted limited to , the requirements detailed in Article 43(2). In comparison to the obligations relating to the accreditation of certification bodies by national accreditation bodies, Article 43 provides fewer details about the requirements for accreditation when the supervisory authority conducts the accreditation itse lf. In the interests of contributing to a harmonised approach to accreditation, the accreditation requirements used by the supervisory authority should be guided by ISO/IEC 17065 and should be complemented by the additional requirements a supervisory autho rity establishes pursuant to Article 43(1)(b). The EDPB notes that Article 43(2)(a) - (e) reflect and specify requirements of ISO 17065 which will contribute to consistency. 2 (6) The opinion of the EDPB shall be adopted pursuant to Article 64 (1)(c), (3) & (8) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decided that the file is complete. Upon decision of the Chair, this per iod may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE OPINION: 1 SUMMARY OF THE FACTS 1 The Germ an Supervisory Authorities of the Federation and the Länder (hereinafter “DE SAs”) ha ve submitted i ts draft accreditation requirements under Article 43 (1)(b) to the EDPB. The file was deemed complete on 13 February 2020 . The DE national accreditation body (NAB) , DAkkS , will perform accreditation of certification bodies to certify using GDPR certification criteria. This means that the NAB will use ISO 17065 and the additional requirements set up by the DE SAs , once they are approved by the DE SAs , following an opinion fr om the Board on the draft requirements, to accredit certification bodies . 2 In compliance with article 10 (2) of the Board Rules of Procedure, due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eight weeks by a further six weeks . 2 ASSESSMENT 2.1 General reasoning of the EDPB regarding the submitted draft decision 3 The purpose of this opinion is t o a ssess the accreditation requirements developed by a SA, either in relation to ISO 17065 or a full set of requiremen ts , for th e purposes of allowing a national accreditation body or a SA , as per article 43(1) GDPR, to accredit a certification body responsible for issuing and renewing certification in accordance with article 42 GDPR . This is without prejudice to the task s and powers of the competent SA. In this specific case, the Board notes that the DE SAs have decided to resort to joint accreditation by their national accreditation body (NAB) , the DAkkS, and the competent 2 Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation , par. 39 Available at: https://edpb.europa.eu/our - work - tools/our - documents/retningslinjer/guidelines - 42018 - accreditation - certification - bodies_en

¶5

Adopted SA, for the issuance of accreditation , having pu t together additional requirements in accordance with the Guidelines, which should be used when issuing accreditation. 4 This assessment of DE SAs’ additional accreditation requirements is aimed at examining on variations (additions or deletions) from the Guidelines and notably the ir Annex 1 . Furthermore, the EDPB’s Opinion is also focused on all aspects that may impact on a consistent approach regarding the accreditation of certification bodies. 5 It should b e noted that the aim of the Guidelines on accreditation of certification bodies is to assist the SAs while defining the ir accreditation requirements. T he G uidelines ’ Annex does not constitute accreditation requirements as such. Therefore, the accreditation requirements for certification bodies need to be defined by the SA s in a way that enables their practical and consistent application as required by the SA s ’ context.

¶6

T he Board acknowledges the fact that, given their expertise, freedom of manoeuvre should be given to NABs and the competent SAs, when applicable, when defining certain specific provisions within the applicable accreditation requirements . However , the Board considers it necessary to stress that, where any additional requirements are establishe d, they should be defined in a way that enables their practical, consistent application and review as required.

¶7

The Board notes that ISO standards, in particular ISO 17065, are subject to intellectual property rights, and therefore it will not make reference to the text of the related document in this Opinion. As a result, the Board decided to, where relevant, point towards specific sections of the ISO Standard, without, however, reproducing the text .

¶8

Finally, the Board has conducted its assessment in line with the structure foreseen in An nex 1 to the Guidelines (hereinafter “Annex”) . Where this Opinion remain s silent on a specific section of the DE SAs’ draft accreditation requirements , it should be read as the Board not having any comments and not asking the DE SAs to take further action.

¶9

This opinion does not reflect upon items submitted by the DE SAs , which are outside the scope of article 43 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR, where required. 2.2 Main p oint s of focus for the assessment (art. 43.2 GDPR and Annex 1 to the EDPB G uidelines) that the accreditation requirements provide for the following to be assessed consistently: 1) addressing all the key areas as highlighted in the Guidelines Annex and considering any deviation from the Annex. 2) i ndependence of the certification body 3) conflicts of interests of the certification body 4) e xpertise of the certification body 5) appropriate safeguards to ensure GDPR certification criteria is appropriately applied by the certification body 6) procedures for issuing, periodic revie w and withdrawal of GDPR certification; and 6 Adopted 7) t ransparent handling of complaints about infringements of the certification .

¶10

Taking into account that: a. Article 43 (2) GDPR provides a list of accreditation areas that a certification body need to address in order to be accredited; b. Article 43 (3) GDPR provides that the requirements for accreditation of certification bodies shall be approved by the competent Supervisory Authority ; c. Article 57 (1) (p) & (q) GDPR provides that a competent supervisory authority mu st draft and publish the accreditation requirements for certification bodies and may decide to conduct the accreditation of certification bodies itself ; d. Article 64 (1) (c) GDPR provides that the Board shall issue an opinion where a supervisory authority in tends to approve the accreditation requirements for a certification body pursuant to Article 43(3) ; e. If accreditation is carried out by the national accreditation body in accordance with ISO/IEC 17065/2012, the additional requirements established by the co mpetent supervisory authority must also be applied ; f. Annex 1 of the Guidelines on Accreditation of Certification foresee s suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a certifica tion body by the National Accreditation Body ; the Board is of the opinion that: 2.2.1 PREFIX

¶11

The Board acknowledges the fact that terms of cooperation, regulating the relationship between a National Accreditation Body and its data protection supervisory authority are not a requirement for the accreditation of certification bodies per se . However, for reasons of completeness and transparency, the Board considers that such terms of cooperation, where existing, shall be made public in a format considered app ropriate by the SA . 2.2.2 TERMS AND DEFINITIONS

¶12

The Board notes that Chapter 3 (“Definitions”) of the DE SAs’ draft accreditation requirements defines what types of certification schemes are allowed , specifying that the y must meet the requirements of DIN EN ISO /IEC 17065. In this regard, it should be pointed out that Section s 5.1 and 5. 2 of the EDPB G uidelines spell out already what can be certified under the GDPR in a comprehensive manner . Therefore, t he Board acknowledges that the intent of the DE SAs is not t o limit what stated in the Guidelines and that the assertions contained in Chapter 3 of the DE SAs’ draft accreditation requirements are to be considered applicable in the context of these accreditation requirements . 2.2.3 GENERAL REMARKS

¶13

The Board notes that the “general notes” section of the DE SAs ’ draft accreditation requirements refer to the “authorization” of the certification criteria by the EDPB “in accordance with Art. 63, 64(1)(c) 7 Adopted GDPR ” . The Board notes that the GDPR does not give the EDPB the competence to “authorise” certification criteria. However, a ccording to the above - mentioned articles, the EDPB can approve certification criteria. Therefore, the Board recommends the DE SAs to delete the reference to “authorisation by the EDP B”, in order to put the draft in line with the wording of the GDPR. 2.2.4 GENERAL REQUIREMENTS FOR ACCREDITATION ( Chapter 4 of the draft accreditation requirements )

¶14

Concerning the requirement of legal responsibility ( s ection 4.1 of the DE SAs’ draft accreditati on requirements ), the Board notes that, in the supporting document, the DE SAs explain that th ere is an expectation for the certification body to have up to date procedures and, therefore, there’s no need to add further requirements on that regard . However , the Board considers that an expectation does not bind certification bodies to have such procedures. As established in section 4.1.1 of the Annex to the Guidelines, certification bodies shall have up to date procedures that demonstrate compliance with the legal responsibilities set out in the terms of accreditation. Moreover, the certification body shall be able to demonstrate evidence of GDPR compliant procedures and measures specifically for controlling and handling of client organisation’s personal dat a as part of the certification process. Therefore, the Board recommends the DE SAs to amend the draft requirements in order to align them with the Guidelines.

¶15

Regarding sub section 4.1.2.2 of the DE SAs ’ draft accreditation requirements ( “ certification agreement ” ) , the Board notes that the DE SAs ’ draft accreditation requirements do not include the obligation to allow full transparency to the competent SA with respect to the certification procedure, inclu ding contractually confidential matters. In addition, there is no reference to the obligation of the applicant to provide the certification body with access to its processing activities . Therefore, the Board recommends the DE SAs to include the abovementio ned obligations in their draft .

¶16

The Board observes that the explicit reference to the tasks and powers of t he competent SA (3rd indent in s ection 4.1.2 of the Annex) is not included in sub section 4.1.2.2 of the DE SAs ’ draft accreditation requirements. The Board is of the opinion that this reference should be added in the draft requirements and, therefore, it recommends the DE SAs to amend the draft accordingly.

¶17

Moreover, the DE SAs ’ draft requirements regarding the certification agreement do not includ e the obligation to allow the certification body to disclose all information necessary for granting certification pursuant to Articles 42(8) and 43(5) GDPR (7th indent in s ection 4.1.2 of the Annex). Even though that obligation is included in the process m anagement section of the DE SAs ’ draft accreditation requirements, the Board considers that it should be part of the certification agreement, in order to strengthen its binding nature. Thereby, the Board recommends the DE SAs to include the abovementioned obligation as part of the elements of the certification agreement.

¶18

A ccording to the Annex, th e applicant has to inform the certification body of significant changes in its actual or legal situation and in its products, processes and services concerned by the certification (10th indent in s ection 4.1.2 of the Annex). However, i n the DE SAs ’ d raft accreditation requirements, indent 6 of sub section 4.1.2.2 only includes the obligation to inform the certification body of significant changes in actual or lega l circumstances, but it does not explicitly mention the prod u cts, processes and services . The Board recommends the DE SAs to include such reference, in line with the Annex.

¶19

With regard to sub section 4.2.7 of the DE SAs ’ draft accreditation requirements ( “ handling impartiality ” ), the Board recommends to strengthen the criteria applicable to certification bodies 8 Adopted which belong to or are controlled by a separated legal entity, so as to take into consideration that any typ e of economic relation between the certification body and the legal entity , depending on its features, may affect the impartiality of its certification activities.

¶20

With regard to section 4.6 of the DE SAs ’ draft accreditation requirements ( “ p ublicly acc essible information ” ), the Board notes that there is no reference to the publication of all versions of the approved criteria and the certification procedures. Therefore, the Board encourages the DE SAs to amend the draft accreditation requirements in order to make explicit that the publication includes all versions of the approved criteria and the certification procedures. Additionally, the Board notes that the second paragraph of section 4.6 states tha t “ the certification schemes used by the certification body the approved criteria in accordance with Art. 42(5) GDPR stating the authorized duration of application, are to be generally published . ” T o avoid any ambiguity, t he Board encourages the DE SAs to delete the word “generally” and to include an “and” between “certification body” and “the approved criteria” . 2.2.5 RESOURCES REQUIREMENTS ( Chapter 6 of the draft accreditation requirements )

¶21

Concerning the expertise requirements and specifically, sub section 6.1.2.1 of the DE SAs’ draft accreditation requirements ( “ human resources compet ence ” ), the Board notes that the required knowledge in the listed areas does not specify that the knowledge shall be re levant and appropriate . In order to ensure consistency with the level of expertise required in the Annex, the Board recommends the DE SAs to align the wording with the G uidelines, by requiring that the knowledge is relevant and appropriate.

¶22

Moreover, the Board notes that the requirements for personnel with technical expertise responsible for decision making include at least 7 years of professional experience or 5 years of professional experience in technical data protection , depending on their level o f education , whereas the personnel responsible for evaluations should have 4 years of professional experience or 2 years of professional experience in technical data protection and experience in the testing procedure , depending on their level of education . Similarly, personnel with legal expertise m aking decisions must have at least 5 years of professional experience in data protection law , whereas those in charge of evaluations must have at least 2 years of experience in data protection law and in the audi t procedures . The Board notes that the required minimum years of professional experience between the personnel in charge of decision - making and the personnel in charge of evaluation differ significantly. In this regard, the Board considers that the compete nce requirements for evaluators and decision - makers should be tailored taking into account the different tasks that they perform, rather than the number of years of experience. The Board is of the opinion that evaluators should have a more specialist exper tise and professional experience in technical procedures (e.g. audits and certifications), whereas decision - makers should have a more general and comprehensive expertise and professional experience in data protection . Considering this, the Board encourages the DE SAs to make more emphasis on the different substantive knowledge and/or experience for evaluators and decision - makers and to reduce the divergences in the years of experience required for them .

¶23

Additionally, the Board considers that the knowledge of the management systems relevant to the certification area should be extended to the ISO/IEC 27701:2019 - Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines and encourages t he DE SAs to include such reference. 9 Adopted

¶24

Finally , regarding the education requirements for the technical personnel, the Board considers that the list of subjects is already tailored to the technical expertise required by the Annex . Therefore, the Board encou rages the DE SAs to delete the reference to “natural sciences” from the list of subjects regarding the university education of the technical personnel. 2.2.6 PROCESS REQUIREMENTS ( Chapter 7 of the draft accreditation requirements )

¶25

The Board notes that Chapter 7 of the DE SAs ’ draft accreditation requirements make s several reference to the term “its criteria” (e.g. in sections 7.4, 7.6, 7.11 and 7.13 ). In order to avoid any ambiguity , the Board encourages the DE SAs to clarify the me aning of such term, for example by adding an explanation in Appendix 1 (Glossary).

¶26

Concerning section 7.1 of the DE SAs ’ draft accreditation requirements ( “ general information ” ) , the Board notes that there is no explicit reference to the obligation of th e certification body to comply with the additional requirements. Even though such obligation could be inferred from the text of the draft requirements, the Board considers that an explicit reference to the above - mentioned obligation should be included. The refore, the Board recommends the DE SAs to amend the draft accordingly.

¶27

The Board notes that the DE SAs ’ draft additional requirements do not contain any reference to the operation of an approved European Data Protection Seal, as per section 7.1.2 of the Annex. The Board is of the opinion that this reference should be included, especially considering that accreditation of a certification body granting European Data Protection Seals may have to be carried out in each of the Members States where the certifi cation body is established. 3 Therefore, the Board recommends the DE SAs to include the above - mentioned reference. For example, the draft requirements could state the following: "The competent SA shall be notified before a certification body starts operati ng an approved European Data Protection Seal in a new Member State from a satellite office".

¶28

The Board notes that in section 7.2 ( “ application ” ), the DE SAs ’ draft accreditation requirements foresee the situation in which processors are used to carry out data processing operations , in line with the Annex to the Guidelines . However, the Board notes that, when processors are used, the application shall contain t he relevant controller/processor contract(s), as stated in the Annex. Therefore, the Board recommends the DE SAs to align the wording to the guidelines by including the reference to the controller/processor contract(s). Moreover, the Board encourages the D E SAs to consider whether a reference to joint controllers and their specific arrangements should also be mentioned in this case.

¶29

The Board notes that section 7.2 of the DE SAs ’ draft accreditation requirements specifies that “t he data controller and the p rocessor are enti tled to apply for certification”. The possibility for processors to apply for certification will depend on the specific certification scheme. Therefore, in order to avoid confusion, the Board encourages the DE SAs to delete the reference a bove or to clarify that the possibility for processors to be certified will depend on the scope of the certification scheme.

¶30

With regard to section 7.3 of the DE SAs ' draft accreditation requirements ( “ evaluation applications ” ), the Board notes that the DE SAs ’ draft accreditation requirements state that “the planned evaluation methods are contractually stipulated [ ... ] ”. In order to make clear that this is a requirement, the Board encourages the DE SAs to redraft the first paragraph, in order to make clear that the evaluation methods shall be included in the certification agreement , - I.e. redraft the requirement as “ the planed 3 In this regard, see Guidelines 1/2018, paragraph 44. 10 Adopted evaluation methods shal l be contractually stipulated [...] ” . Additionally, the Board encourag es the DE SAs to replace the reference to section 7.3.1.b of ISO 17065 with section 7.3 of ISO 17065, in order to align the wording with the Annex. Moreover, the Board observes that the 4th paragraph refers to appropriate technical and legal competences. F or the sake of clarity, the Board encourages the DE SAs to add “in the field of data protection”.

¶31

The Board observes that section 7.4 of the DE SAs’ draft accreditation requirements ( “ evaluation methods ” ) does not include the obligation of the certificati on body to describe sufficient evaluation methods for assessing the compliance of the processing operation(s) with the certification criteria. The Board recommends the DE SAs to amend the draft requirements in order to include such reference. An example co uld be to add the following: “The certification body shall ensure that mechanisms used for granting certification describe sufficient evaluation methods for assessing the compliance of the processing operation(s) with the certification criteria ”. Moreover, with regard to the first area that shall be covered in the evaluation methods, the Board considers that the necessity and proportionality shall be assessed also in relation to the data subjects concerned , where applicable . Finally, the Board notes that the re is no reference to the documentation of methods and findings. Thus, the Board encourages the DE SAs to amend the draft and explicitly include such reference s .

¶32

With re gard to existing certifications (section 7.4 of the DE SAs ’ draft accreditation requirements), the Board considers that the 4th indent in page 13 leads to confusion, since it is unclear what is the connection between the periods of validity of current and previous certification, and how they would fit in with one another. Additionally, it does not seem feasible to question the validity of certification previously issued by a different accredited certification body. In sum, the paragraph would benefit from some clarity with regard to the relationship between the dif ferent elements mention. The Board recommends the DE SAs to amend the draft in particular by clarifying that the duration of validity of the GDPR certification must not be conditional upon the validity of other types of certifications .

¶33

Concerning section 7.5 (“valuation”) of the DE SAs ’ draft accreditation requirements, the Board encourages the DE SAs to change the title of the section to “review”.

¶34

Regarding the changes affecting certification ( section 7.10 of the DE SAs draft accreditation requirements ), the Board notes that the DE SAs draft accreditation requirements establish that “ the client is informed in a timely manner on changes to the legal framework which affect him ” . Having in mind the need to pre serve the impartiality of the certification body, the Board encourages the DE SAs to reformulate the sentence to make clear that the client is provided, in a timely manner, with general information on changes that might affect him. Additionally, in order t o ensure a clear understanding of what is meant by “decisions of the European Data Protection Board”, the Board encourages the DE SAs to clarify the reference. An example could be to refer to “documents adopted by the European Data Protection Board”.

¶35

The Board observes that section 7.11 of the DE SAs’ draft accreditation requirements ( “ termination, restriction, suspension or withdrawal of certification ” ) does not contain the obligation of the certification body to accept decisions and orders from the DE SAs to withdraw or not to issue certification to an applicant if the requirement s for certification are not or no longer met. Therefore, the Board recomm ends the DE SAs to include such obligation. Moreover, the Board encourages the DE SAs to replace the word “restriction” by “reduction” from the title of the section, in accordance with the Annex to the Guidelines. 11 Adopted 2.2.7 FURTHER ADDITIONAL REQUIREMENTS

¶36

With rega rd to sub section 8.11.3 of the DE SAs ’ accreditation requirements (“complaint management”) , the Board encourages the DE SAs to replace the reference to “justified complaints” by “substantiated complaints”, in order to provide more clarity. 3 CONCLUSIONS / R ECOMMENDATIONS

¶37

The draft accreditation requirements of the German Supervisory Authorities of the Federation and the Länder may lead to an inconsistent application of the accreditation of certification bodies and the following changes need to be made:

¶38

Regar ding ‘general remarks’, the Board recommends that the DE SAs : 1) delete the reference to “authorisation by the EDPB”, in order to put the draft in line with the wording of the GDPR.

¶39

Regarding ‘general requirements for accreditation’, the Board recommends tha t the DE SAs : 1) amend the requirem ents concerning the legal responsibility (subsection 4.1) in order to align them with the guidelines. 2) amend sub section 4.1.2.2 to include , in the certification agreement, the obligation to allow full transparency to the DE SAs with respect to the certification procedure and to provide the certification body with access to the applicant’s processing activities. 3) include, in subsection 4.1.2.2 , a n explicit reference to the tasks and powers of the competent SA, in accordance with the Annex. 4) include , among the elements of the certification agreement, the obligation to allow the certification body to disclose all information necessary for grantin g certification pursuant to Articles 42(8) and 43(5) GDPR . 5) include a explicit reference to “ products, processes and services concerned by the certification ” in indent 6 of sub section 4.1.2.2. 6) to strengthen , in sub section 4.2.7, the criteria applicable to c ertification bodies which belong to or are controlled by a separated legal entity, so as to take into consideration that any type of economic relation between the certification body and the legal entity , depending on its features, may affect the impartial ity of its certification activities.

¶40

Regarding ‘resource requirements’ the board recommends that the DE SAs : 1) align the wording of sub section 6.1.2.1 with the guidelines, by requiring that the knowledge is relevant and appropriate.

¶41

Regarding ‘process requirements’ the board recommends that the DE SAs : 1) amend section 7.1 to contain an explicit reference to the obligation of the certification body to comply with the additional requirements. 12 Adopted 2) include a reference to the operation of an approved European Data Protection Seal. 3) align the wording in section 7.2 to the guidelines by including the reference to the controller/ processor contract(s). 4) include in section 7.4 the obligation o f the certification body to describe sufficient evaluation methods for assessing the compliance of the processing operation(s) with the certification criteria. 5) clarify in section 7.4 that the duration of validity of the GDPR certification must not be condi tional upon the validity of other types of certifications. 6) include in section 7.11 the obligation of the certification body to accept decisions and orders from the DE SAs to withdraw or not to issue certification to an applicant if the requirements for c ertification are no longer met. 4 FINAL REMARKS

¶42

This opinion is addressed to the German Supervisory Authorities of the Federation and the Länder and will be made public pursuant to Article 64 (5 )( b) GDPR.

¶43

According to Article 64 (7) and (8) GDPR, the DE SAs shall communicate to the Chair by electronic means within two weeks after r eceiving the opinion, whether they will amend or maintain their draft decision . Within the same period, they shall provide the amended draft decision or where they do not intend to fol low the opinion of the Board, they shall provide t he relevant grounds for which they do not intend to follow this opinion, in whole or in part. 44. The DE SAs shall communicate the final decision to the Board for inclusio n in the register of decisions that have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)

Similar Content