Art.43 GDPR

GDPR Art.43: Certification Bodies

What This Control Requires

Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following: (a) the supervisory authority which is competent pursuant to Article 55 or 56; (b) the national accreditation body named in accordance with Regulation (EC) No 765/2008.

In Plain Language

The credibility of any GDPR certification depends entirely on who issues it. Article 43 sets the rules for certification bodies - the organisations that actually assess and certify your data protection practices. They must have genuine data protection expertise and be accredited by either the competent supervisory authority or the national accreditation body. Accreditation requirements are designed to keep standards high. Certification bodies must demonstrate independence, establish clear procedures for issuing, renewing, and withdrawing certifications, handle complaints about certified organisations, operate free from conflicts of interest, and publish transparent assessment criteria. Without these safeguards, certifications would be meaningless. Certification bodies must keep the supervisory authority informed of their activities. This regulatory oversight ensures the certification ecosystem operates within the GDPR framework and that certifications represent genuine compliance assessments, not box-ticking exercises.

How to Implement

Before engaging any certification body, verify their accreditation status directly with the relevant supervisory authority or national accreditation body. Confirm they are accredited for the specific GDPR certification scheme you want and that they have relevant expertise in your processing context. Check their track record and ask for references from other certified organisations. Get clear on the assessment methodology before you sign anything. Review their published criteria, the assessment process, typical timelines, and what they expect from you. Pin down the certification scope, the evidence they need, the assessment format (document review, on-site audit, remote assessment), and the qualifications of the people who will conduct the evaluation. Prepare properly. Organise documentation, brief responsible staff on the process and their roles, run internal pre-assessments, and close any known gaps. When the assessment begins, provide requested information quickly and facilitate access to systems, staff, and premises without friction. Keep the relationship alive between assessments. Report any significant changes to your processing that could affect your certification status. Engage with surveillance audits proactively and respond to findings without delay. Flag any concerns about maintaining compliance early rather than waiting for the next formal review. If you are looking to establish a new certification scheme for your sector, talk to the supervisory authority early about the approval process. Design robust assessment criteria, recruit qualified assessors, and build a scheme that delivers genuine compliance assurance rather than a superficial review.

Evidence Your Auditor Will Request

Verification of certification body accreditation status
Certification assessment reports and findings
Evidence of remediation of any non-conformities identified during assessment
Records of communication with the certification body regarding changes in processing
Surveillance audit results and renewal assessment documentation

Common Mistakes

Selecting a certification body that is not properly accredited for the relevant scheme
Insufficient preparation for the certification assessment, leading to failed or delayed certification
Not reporting significant processing changes to the certification body between assessments
Treating the certification body relationship as purely transactional rather than an ongoing compliance partnership
Failing to address non-conformities identified by the certification body within required timeframes

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.36	Related

Frequently Asked Questions

How do we verify that a certification body is properly accredited?

Go straight to the source. Check your national supervisory authority's website and your national accreditation body's register. The EDPB also maintains a registry for EU-wide schemes. Do not take the certification body's word for it - verify independently.

Can a certification body revoke our certification?

Yes. If they determine the conditions for certification are no longer met - whether through a failed surveillance audit, a serious breach exposing systemic failures, or an unaddressed change in processing - they can revoke it. The supervisory authority can also instruct them to do so.

What is the relationship between the certification body and the supervisory authority?

The certification body operates under the supervisory authority's oversight. It must report on its activities, and the authority can review, suspend, or order revocation of certifications. If the certification body itself falls short of standards, the supervisory authority can withdraw its accreditation entirely.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment