Ordinance on Data Protection Certification
Section 4: Final Provisions
Annex
Minimum Qualification Requirements for Staff
1. Certification of management systems
The staff who certify management systems must when taken together hold the following qualifications:
- knowledge of the field of data protection law: a minimum of two years’ practical experience in the field of data protection or a successfully completed course of studies of a minimum of one year in duration at a university or university of applied sciences with data protection law as the main subject;
- knowledge of the field of information security: a minimum of two years’ practical experience in the field of information security or a successfully completed course of studies of a minimum of one year in duration at a university or university of applied sciences with information security as the main subject.
- knowledge of developments in data protection law and in information security;
- training as a management systems auditor which meets the internationally specified requirements of the following standards in particular:
- SN EN ISO/IEC 17021-1, conformity assessments, requirements for bodies providing audit and certification of management systems, Part 1: Requirements,
- SN EN ISO/IEC 17021-3, conformity assessment, requirements for bodies providing audit and certification of management systems, Part 3: Competence requirements for auditing and certification of quality management systems, and
- SN EN ISO/IEC 27006, Information technology, security techniques, requirements for bodies providing audit and certification of information security management systems.
The certification body must have qualified staff for the individual fields. The assessment of management systems by an interdisciplinary team is permitted.
2. Certification of products, services and processes
The staff who certify products, services or processes must when taken together hold the following qualifications:
- knowledge of the field of data protection law: a minimum of two years’ practical experience in the field of data protection or a successfully completed course of studies of a minimum of one year in duration at a university or university of applied sciences with data protection law as the main subject;
- knowledge of the field of information security: a minimum of two years’ practical experience in the field of information security or a successfully completed course of studies of a minimum of one year in duration at a university or university of applied sciences with information security as the main subject;
- knowledge of developments in data protection law and in information security;
- specialist knowledge relating to the certification of products, services or processes that meets the requirements for certification programmes and FDPIC’s guidelines as well as the internationally specified requirements, in particular in accordance with the applicable technical standards and the standard «SN EN ISO/IEC 17065, Conformity assessment, requirements for bodies certifying products, processes and services».
The certification body must have qualified staff for the individual fields. The assessment of products, services and processes by an interdisciplinary team is permitted.