Guidelines 4/2018 on the accreditation of certification bodies (the “Guidelines) under Article 43 of the General Data Protection Regulation numbered 2016/679 (GDPR) [1] adopted on 4 December 2018.

Within the framework of establishing certification mechanisms as a voluntary measure to facilitate compliance with the provisions of the GDPR, and data protection seals and marks, Article 43(1) of the GDPR requires Member States ensure that certification bodies issuing certification under Article 42(1) of the GDPR are accredited by the competent supervisory authority and/or the national accreditation body.

In this context, the European Data Protection Board (“EDPB”) recognizes that it is necessary to follow the Guidelines in terms of the accreditation.

The aim of the Guidelines is to help Member States, supervisory authorities and national accreditation bodies establish a consistent, harmonized baseline for the accreditation of certification bodies which issue certification in accordance with the GDPR. In this regard, the Guidelines, explain available routes to accredit certification bodies so as to be in accordance with Article 43(1) of GDPR; provide a framework for establishing additional accreditation requirements when the accreditation is operated by the national accreditation body and establishing accreditation requirements, when the accreditation is handled by the supervisory authority.

Additionally, the institutions and organizations that the Guidelines are addressed to are also stated under the introductory chapter.

You may reach these guidelines hereby.

If there is need of any other information about the article, please contact the below stated person.

Ersin Nazalı

Managing Partner, Attorney, CPA

Hatice Zümbül

Director, Litigation and Dispute Resolution

[1] “General Data Protection Regulation (2016/679)”;

( , 18.12.2018)