GDPR Certification for Data Processors: the CNIL launches consultation on a draft evaluation scheme
Certification allows professionals to communicate on the level of data protection of their products, services, processes, or information systems. To develop a set of criteria tailored to data processors, the CNIL is opening a public consultation until February 28th, 2025.
Facilitating Demonstration of GDPR Compliance in a Data Processing Context
The data processor and the data controller are bound by certain obligations under the GDPR.
The processor's obligations apply to all organizations that process personal data on behalf of another organization (the data controller) as part of a service provision. This includes:
- IT service providers (hosting, maintenance...);
- Software integrators;
- IT security companies;
- Digital service companies that have access to data;
- Marketing or communication agencies that process personal data on behalf of their clients.
For its part, the data controller is required to use trusted processors that provide sufficient guarantees to meet GDPR requirements (Article 28 of GDPR) when deciding to engage them to process personal data on their behalf.
This certification will help guide data controllers in choosing their processors: it ensures that the processing carried out by the processor has been evaluated as compliant with the criteria acknowledged by the CNIL.
Who Can Apply for This Future Certification?
Any organization (public or private) established in Europe that processes personal data on behalf of a data controller will be eligible to apply for this certification.
Small and medium-sized enterprises are particularly encouraged to respond to this consultation. Indeed, the criteria have been designed with the objective of offering them a certification that sets an ambitious yet accessible level for processors willing to commit to improving their maturity in data protection.
Furthermore, this project follows a generalist approach to enable the certification of a wide variety of data processing operations using the same compliance tool. Indeed, the proposed criteria are open to the use of any technology and to stakeholders from all sectors.
The accredited certification body will conduct its assessment according to the data processing context, drawing on all recommendations and resources published by CNIL (by actor/sector or in its main themes, to determine whether each criterion is met or not.
What Will the Assessment Consist of to Obtain Certification?
To obtain certification, it will be necessary to prove compliance with each criterion. It consists of 90 control points organized according to the chronology of implementing personal data processing carried out on behalf of a data controller:
- Part 1: contracting;
- Part 2: preparing the processing environment, including security measures required in the criteria appendix;
- Part 3: processing implementation;
- Part 4: processing completion.
A 5th part incorporates criteria relating to action plans to be carried out by the processor during the certification period, which will be 3 years and renewable.
The processor is free to determine which service they wish to have certified to meet their needs. With the certification body's assistance, the target of evaluation will be defined based on this wish, and all involved data processing operations will then be examined using the criteria.
Given that the assessment focuses on the operational implementation of processing, certification is better suited to "turnkey or off-the-shelf" services offered by processors. However, "custom" services or new services from startups can also be submitted for certification a few months after the effective start of data processing entrusted to the processor, including in the context of a proof of concept.
What is the Consultation Timeline and Who Can Contribute?
This public consultation on the draft certification criteria will end on February 28th, 2025.
CNIL wishes to enable the widest possible participation (natural or legal persons, public or private, service providers or clients, data protection officers...) in this public consultation.
It particularly wishes to mobilize small and medium-sized enterprises that might use certification to strengthen trust relationships with their clients when their service provision involves personal data processing.
Responses to the public consultation can be collective and made through federations, associations, etc.
A form consisting of 6 questions is provided for you to share your general observations and expectations for this certification. More specific feedback, focusing on one or more criteria, will also help CNIL adapt its project.