Article 43

Certification bodies

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies having the appropriate expertise in relation to data protection shall, where appropriate, after notification to the supervisory authority for the purpose of exercising its powers under point (h) of Article 58(2), issue and renew the certificate. Member States shall ensure that such certification bodies are accredited by one of the following:

• the supervisory authority competent under Article 55 or 56;

• the national accreditation body designated in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council, in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the competent supervisory authority pursuant to Article 55 or 56.

2. The certification bodies referred to in paragraph 1 may be accredited under this paragraph only if they:

• demonstrated, to the satisfaction of the competent supervisory authority, their independence and competence in the certification subject;

• have undertaken to comply with the criteria referred to in Article 42(5), which have been approved by the competent supervisory authority under Article 55 or 56 or, in accordance with Article 63, by the Committee;

• have established procedures for the issuance, periodic review and revocation of data protection certification mechanisms, data protection seals and marks;

• have established procedures and structures to address complaints about violations of the certification or the manner in which it has been or is being implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

• demonstrate to the satisfaction of the competent supervisory authority that their duties and tasks do not lead to a conflict of interest.

3. The accreditation of the certification bodies referred to in paragraphs 1 and 2 of this Article shall be carried out on the basis of criteria approved by the supervisory authority competent under Article 55 or 56 or, in accordance with Article 63, by the Committee. In the case of accreditation under paragraph 1(b) of this Article, those requirements shall be in addition to the requirements of Regulation (EC) No 765/2008 and the technical rules describing the methods and procedures of the certification bodies.

4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to certification or the withdrawal of such certification, without prejudice to the responsibility of the controller or processor for compliance with this Regulation. Accreditation shall be issued for a maximum period of five years and shall be renewable under the same conditions, provided that the certification body continues to meet the requirements set forth in this Article.

5. The certification bodies referred to in paragraph 1 shall inform the competent supervisory authorities of the reasons for issuing or withdrawing the requested certificate.

6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made publicly available by the supervisory authority in an easily accessible form. Supervisory authorities shall also communicate those requirements and criteria to the Committee. The Committee shall collect all certification mechanisms and data protection seals in a register and make them publicly available through appropriate channels.

7. Without prejudice to Chapter VIII, if the conditions for accreditation are not or are no longer fulfilled or if the measures taken by a certification body violate this Regulation, the competent supervisory authority or the national accreditation body shall withdraw the accreditation issued to a certification body pursuant to paragraph 1 of this Article.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of further specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).

9. The Commission may adopt implementing acts providing for technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognise those certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).