ParticuliersProfessionnelsPresse
FrEnGestionnaire de cookies
  1. Accueil
  2. Public Consultation – GDPR Certification of Data Processors

Public Consultation – GDPR Certification of Data Processors

  • Consultation
  • Terminé

The CNIL encourages stakeholders to consolidate their comments, when possible, into a single contribution by pooling different internal feedback or by working with their federation.

Contributions submitted to the CNIL in this context are not public, and their confidentiality will be ensured. These may be summarized and presented as part of any public consultation synthesis published by the CNIL after its completion. These summaries or syntheses will not contain any personal information regarding the identity of respondents or the organization to which the respondent belongs.

It should be noted, however, that contributions could be subject to an access request as administrative documents (code of relations between the public and administration). In your contribution, indicate any elements protected by literary or artistic property rights (specify, in this case, whether or not you allow their communication), or by trade secrets. Note that CNIL is not bound to follow your assessment of what is protected or not.

 

Introduction

The following questions aim to identify your main expectations for a processor certification and to adjust the level of protection required to access it.

More detailed feedback, focusing on one or multiple criteria of the reference framework, will also allow CNIL to adapt its project more specifically. In expressing your expectations, certain inherent limitations of certification should be considered.

In particular, it should be emphasized that the evaluation carried out to certify an “turnkey or off-the-shelf” service is not exhaustive: it is generally not conducted in the context of each processor's client. Indeed, depending on the number of processor's clients, the certification body may need to conduct its verifications through sampling, for example by selecting a limited number of clients to verify compliance with a criterion.

Thus, certification is not a suitable tool for guaranteeing the controller's implementation of any negotiated contractual clauses or specific instructions in the context of its processing, beyond those explicitly listed by the criteria.

This certification is also not intended to establish the processor's compliance with obligations incumbent upon its clients (controllers) or its further sub-processors. Furthermore, the proposed certification does not constitute a transfer tool for implementing transfers outside the European Union with appropriate guarantees under Article 46 of the GDPR.

Contact information
Your organization is located in :


 

Q1: You are responding to this consultation as:


 

Q2: What are your main expectations for GDPR certification of processors?

1 to 3 possible answers
 


 

Q3: What are the GDPR compliance themes or sources of difficulty that this certification should address?

1 to 3 possible answers
 


 

The following questions are based on detailed points in the draft evaluation scheme submitted to consultation.

Consult the draft (in French)

 


 

Q5: Among the following requirements imposed on the processor to obtain certification, which ones seem to constitute too significant or deterrent an obstacle?

1 to 3 possible answers
 


 

Q6: Among the following requirements that are not imposed on the processor to obtain certification, which ones seem necessary?

1 to 3 possible answers
 

The CNIL processes the data collected via this form in order to analyse the comments of the participants with a view to adopting the draft. The data are also collected to produce statistics on contributions and, if necessary, to contact contributors in order to deepen the exchanges or keep them informed of the outcome of the consultation. The legal basis for the processing if the performance of a task carried out in the public interest. The data are communicated to the CNIL departments responsible for the analysis of the responses provided.

You can access your data, object to their processing, request their rectification or erasure. You can also exercise your right to limit the processing of your data.

If you want to learn more about the processing of your data, click here.