PART 2General processing

CHAPTER 2 The UK GDPR

Certification

17Accreditation of certification providers

(1)

Accreditation of a person as a certification provider is only valid when carried out by—

(a)

the Commissioner, or

(b)

the F1UK national accreditation body.

(2)

The Commissioner may only accredit a person as a certification provider where the Commissioner—

(a)

has published a statement that the Commissioner will carry out such accreditation, and

(b)

has not published a notice withdrawing that statement.

(3)

The F2UK national accreditation body may only accredit a person as a certification provider where the Commissioner—

(a)

has published a statement that the body may carry out such accreditation, and

(b)

has not published a notice withdrawing that statement.

(4)

The publication of a notice under subsection (2)(b) or (3)(b) does not affect the validity of any accreditation carried out before its publication.

(5)

Schedule 5 makes provision about reviews of, and appeals from, a decision relating to accreditation of a person as a certification provider.

(6)

The F3UK national accreditation body may charge a reasonable fee in connection with, or incidental to, the carrying out of the body's functions under this section, Schedule 5 and Article 43 of the F4UK GDPR.

(7)

The F5UK national accreditation body must provide the Secretary of State with such information relating to its functions under this section, Schedule 5 and Article 43 of the F6UK GDPR as the Secretary of State may reasonably require.

(8)

In this section—

certification provider” means a person who issues certification for the purposes of Article 42 of the F7UK GDPR;

the F8UK national accreditation body” means the F8UK national accreditation body for the purposes of Article 4(1) of Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93.