PART 2General processing
CHAPTER 2The GDPR
Accreditation of certification providers
17Accreditation of certification providers
1
Accreditation of a person as a certification provider is only valid when carried out by—
a
the Commissioner, or
b
the national accreditation body.
2
The Commissioner may only accredit a person as a certification provider where the Commissioner—
a
has published a statement that the Commissioner will carry out such accreditation, and
b
has not published a notice withdrawing that statement.
3
The national accreditation body may only accredit a person as a certification provider where the Commissioner—
a
has published a statement that the body may carry out such accreditation, and
b
has not published a notice withdrawing that statement.
4
The publication of a notice under subsection (2)(b) or (3)(b) does not affect the validity of any accreditation carried out before its publication.
5
Schedule 5 makes provision about reviews of, and appeals from, a decision relating to accreditation of a person as a certification provider.
6
The national accreditation body may charge a reasonable fee in connection with, or incidental to, the carrying out of the body’s functions under this section, Schedule 5 and Article 43 of the GDPR.
7
The national accreditation body must provide the Secretary of State with such information relating to its functions under this section, Schedule 5 and Article 43 of the GDPR as the Secretary of State may reasonably require.
8
In this section—
“certification provider” means a person who issues certification for the purposes of Article 42 of the GDPR;
“the national accreditation body” means the national accreditation body for the purposes of Article 4(1) of Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93.