Opinion 13/2026 on the draft decision of the Office of the Data Protection Ombudsman (FI SA) regarding the approval of the requirement for accreditation of a certification body pursuant to Article 43(3) GDPR

The European Data Protection Board has published Opinion 13/2026, endorsing a draft decision by the Finnish Data Protection Ombudsman to approve accreditation requirements for certification bodies under Article 43(3) GDPR. This opinion clarifies the standards that certification bodies must meet to be accredited for GDPR certification schemes, such as those for data processing seals or marks. It does not introduce new law but formalizes the criteria that national accreditation bodies will use when assessing these organizations.

This change primarily affects certification bodies seeking to offer GDPR-related certifications, as well as data controllers and processors in any sector that may wish to use accredited certification to demonstrate compliance. Organizations that rely on or plan to develop GDPR certification schemes should pay close attention, as the opinion sets a precedent for how other EU supervisory authorities may handle similar accreditation requests.

Compliance teams should review the opinion to understand the specific accreditation requirements, particularly around independence, expertise, and conflict-of-interest rules. If your organization uses or intends to use a certification body, verify that the body is accredited under these new standards. For those developing internal certification programs, begin aligning your processes with the criteria outlined in the opinion to ensure future accreditation readiness.