On April 18, 2024, the Norwegian data protection authority (Datatilsynet) published a list of requirements that must be met by monitoring bodies in order to be accredited. This list of requirements is based on Article 41(1) of the General Data Protection Regulation (GDPR) the European Data Protection Board's (EDPB) guidelines on standards of conduct and control bodies.

In order for a monitoring body to be accredited, the Datatilsynet outlines that the monitoring body must:

• show that it is independent and has in-depth knowledge;
• establish procedures that make it possible to assess whether affected data controllers and data processors meet the conditions for application of the Code of Conduct;
• determine the procedures and routines for handling complaints; and
• show that their tasks or duties do not lead to a conflict of interest.

Regarding the application process, in addition to meeting the abovementioned criteria, monitoring bodies must submit applications for accreditation in writing to the Datatilsynet in Norwegian or English. Applications must contain at least the following information:

• information on the applicant (for example, organization numbers);
• applicant's place of residence or business address, which must be in the European Economic Area (EEA);
• contact information to be used for communicating about the application;
• specification of the type of control body (whether internal or external);
• specification of the standard for which accreditation is sought;
• scope (whether the standard should apply nationally or transnationally); and
• relevant documents and previous correspondence with the Datatilsynet.  

You can read the press release here and the list of requirements here, both only available in Norwegian.