Certification criteria as referred to in Article 42(5) GDPR

The certification body or the owner of the certification scheme shall develop the certification criteria. The Guidelines 1/2018 adopted by the EDPB on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation are of great help in establishing the certification criteria.

The certification criteria require the approval of the President of the Office and, in case of the European Data Protection Seal, approval of the European Data Protection Board is required. In both situations, the approval should, in principle, take place before the accreditation process of the certification body, as accreditation refers to a specific certification scheme of which the approved criteria are a component.

The President of the Office will publish the approved certification criteria.