No obligation to use the IAF CertSearch database
I.
According to the IAF document “IAF MD 28:2023”, which has been in force since October 2024, the “iafcertsearch.org” database is to be used by certification bodies in accordance with IAF specifications.
DAkkS hereby clarifies that it does not consider the requirements of IAF MD 28:2023 in the accreditation procedure for accredited bodies. Non-application by certification bodies based in Germany and accredited according to ISO/IEC 17021-1 therefore does not lead to objections by DAkkS in the accreditation procedure.
II.
DAkkS also points out that voluntary publication of certificate data on iafcertsearch.org and thus storage in a third country may be inadmissible under accreditation law. The conformity assessment bodies are requested to carefully check the legal admissibility before publication on iafcertsearch.org.
Further information
To this end, DAkkS provides the following information:
A.
In principle, accredited conformity assessment bodies are subject to a strict confidentiality obligation. Clause 4.6 ISO/IEC 17021-1 (Confidentiality) stipulates that.
“To gain the privileged access to information (…), it is essential that a certification body does not disclose any confidential information.”
Clause 8.4.3 ISO/IEC 17021-1 states: “(...) information about a particular certified client or individual shall not be disclosed to a third party without the written consent of the certified client or individual concerned.”
The conformity assessment body may therefore not make information from the certification process, such as audit reports (Clause 9.4.8 ISO/IEC 17021-1) or the certification documents (Clause 8.2 ISO/IEC 17021-1), generally accessible to the public or transfer it to third parties.
The transfer of certificate data (Clause 8.2 ISO/IEC 17021-1) to IAF Database LLC in the USA and the onward transfer to QUALITY TRADE PTY. LTD. via the website iafcertsearch.org would be inadmissible, unless the customer has given his written consent and waived his right to confidentiality and accepted the terms and conditions of IAF Database LLC and QUALITY TRADE PTY. LTD.
B.
If a conformity assessment body wishes to offer validity verification of certificates on its website, a process must be established by which it can verify the legitimate interest of the requesting person on a case-by-case basis.
Clause 8.1.2 therefore reads: “The certification body shall provide upon request information about (…)”
The “legitimate interest” of the requesting person must be clarified as part of the “request”. The confidentiality agreement between the certification body and the customer must then be transferred to the person making the request via the certification body's database in a contractually effective manner. The legal validity of a contractual agreement and its enforceability in court must be checked and documented separately in cases involving foreign countries. Publication of certificate data (Clause 8.2 ISO/IEC 17021-1) without such a request procedure is only possible in non-security-critical areas and only if the customer has expressly agreed to this procedure in advance in the contract with the certification body in accordance with Clause 5.1.2 (Certification Agreement).
The previous practice that it can be contractually agreed with the customer that a requesting person's legitimate interests can be inferred from the person's possession of an identification feature (identification number) remains permissible.
In security-critical areas, the certification body cannot regularly invoke Note 2 to Clause 8.1.2, because insofar as the certificate data in accordance with Clause 8.2 ISO/IEC 17021-1 reflects information such as:
- the name and geographical location of each certified client
- the geographical location of the headquarters and any sites within the scope of a multi-site certification
- the scope of certification with respect to the type of activities, products and services as applicable at each site
and the certified customer is, for example, a critical infrastructure within the meaning of the BSI Ordinance Determining Critical Infrastructures of 22 April 2016 (Federal Law Gazette I p. 958, Federal Law Gazette 2023 I No. 339) or a facility of the Federal Armed Forces / the Federal Ministry of Defence or a defence company, the operator of critical infrastructures or the institution with relevance for national and alliance defence must be given the opportunity to consult its competent security authorities in advance with regard to the assessment of the risk of publication or disclosure of certificate data (see Note 1 to Clause 8.1.2 ISO/IEC 17021-1).
The following certification programmes are rated as particularly sensitive:
- ISO 9001 quality management systems in the EA Codes:
11. Nuclear fuel
21. Aerospace
25. Electricity supply
26. Gas supply
27. Water supply
31. Transport, storage and communication
32. Financial intermediation; real estate; renting
33. Information technology
36. Public administration
38. Health and social work
39. Other social services
and at critical infrastructures and facilities of the German Armed Forces or defence industry or their suppliers - ISO/IEC 27001 Information security, cybersecurity and privacy protection – Information security management systems
- ISO 50001 Energy management systems
- EN 9104-001 Aerospace series – Quality management systems
- ISO 19443 Quality management systems for organisations in the supply chain of the nuclear energy sector
- ISO 13485 Medical devices – Quality management systems – Requirements for regulatory purposes
- DIN EN 15224 Quality management systems for healthcare
- ISO 7101 Healthcare organization management
- ISO/IEC 42001 Information technology – Artificial intelligence - Management system
- DIN EN ISO 22163 Railway applications – Railway quality management system
- DIN EN ISO 22301 Security and resilience – Business continuity management system
- DIN EN ISO 22000 Food safety management system
- DIN EN ISO 41001 Facility management - Management systems
- DIN EN ISO 29001 Petroleum, petrochemical and natural gas industries – Sector-specific quality management systems
The certification bodies must clarify and document the admissibility of data on iafcertsearch.org with both the customers and the responsible supervisory authorities before publishing it.