European Union: Adopted EDPB opinion 10/2024 on the draft decision of the competent supervisory authority of Sweden regarding the approval of the requirements for accreditation of a certification body (GDPR)

On 23 May 2024, the European Data Protection Board (EDPB) adopted its opinion 10/2024 on the draft decision of the competent supervisory authority of Sweden regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR). The Swedish Supervisory Authority (SE SA) submitted its draft accreditation requirements for certification bodies under Article 43.1(b) GDPR to the EDPB, which will be performed by the Swedish National Accreditation Body (NAB) using ISO 17065 and additional requirements set by SE SA. The EDPB's opinion aims to ensure consistency in accreditation requirements across the European Economic Area (EEA). In particular, SE SA’s requirements were assessed against the EDPB guidelines and ISO 17065 to identify inconsistencies. The EDPB emphasised the need for clear and consistent application and review of requirements and stated that the draft accreditation requirements of the SE SA may lead to an inconsistent application of the accreditation of certification bodies. Due to this, the EDPD suggests changes such as clarifications and specifications, including transparency, information and independence requirements. Furthermore, the EDPD addresses the conflict of interest and requires that the management system ensures certification bodies permanently and continuously make public which certifications were carried out, their validity, and under which framework and conditions. The opinion must be communicated to the Chair of the SE SA within two weeks, including any amendments or justifications for not following the opinion. The final decision will be included in the register of decisions subject to the consistency mechanism.