Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Norway: Datatilsynet publishes additional requirements for accreditation of certification bodies

On June 20, 2024, the Norwegian data protection authority (Datatilsynet) announced that it published its additional requirements for the accreditation of certification bodies, based on Article 43(2) of the General Data Protection Regulation (GDPR) and the European Data Protection Board's (EDPB) Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679).

The additional requirements outline that in addition to requirements under ISO 17065, certification agreements should, among other things:

  • require applicants to always comply with the general certification requirements under § of ISO 17065 and the criteria approved by the Datatilsynet or the EDPB;

  • require applicants to allow full transparency to the Datatilsynet with respect to the certification procedure, including any confidential materials;

  • not reduce the responsibility of applicants for compliance with the GDPR;

  • require applicants to provide the certification body with all information and access to its processing activities which are necessary to conduct the certification procedure;

  • require applicants to comply with applicable deadlines and procedures;

  • set out the rules of validity, renewal, and withdrawal, including rules setting appropriate intervals for reevaluation or review;

  • allow the certification body to disclose to the Datatilsynet the reasons for granting or withdrawing the certification and the information the Datatilsynet will need to provide to the EDPB to enable the EDPB to include the certification mechanism in a publicly available register;

  • include rules on the necessary precautions for the investigation of complaints in a transparent and easily accessible manner;

  • require applicants to inform the certification body in the event of significant changes in its actual or legal situation and in its products, processes, and services concerned by the certification; and

  • require applicants to inform the certification body of any GDPR infringements that may affect certification.

You can read the press release here, only available in Norwegian, and the additional requirements here.