Legal news
- Accueil
- News
- Legal news
- The French data protection authority (CN...
The French data protection authority (CNIL) launches a public consultation on a draft certification framework for processors
- 31 janvier 2025
- Jeanne BOSSI MALAFOSSE, Guillaume BUHAGIAR
- Personal data
- Legal news
On December 23, 2024, the CNIL announced the opening of a public consultation on a draft « Framework for the GDPR certification of processors » [1] (« Certification framework »).
In accordance with Article 28 of the GDPR [2], a controller wishing to entrust a processor with carrying out processing on its behalf must only use « processors providing sufficient guarantees to implement appropriate technical and organisational measures » so that the processing meets the requirements of the GDPR and ensures the protection of the rights of the data subjects.
In this context, the certification obtained by processors will allow them to attest the compliance of the processing they carry out on behalf of third parties, with the GDPR, and thus strengthen their competitiveness on the market. For controllers, this certification will allow them to benefit from a pragmatic way of selecting their service providers.
Any public or private organization established in the European Union, or in a member state of the European Economic Area, carrying out personal data processing on behalf of a controller, may apply for the certification.
The certification, which is valid for a renewable period of three years, will be issued by an approved certifying organization responsible for assessing the compliance of the processing operation(s) subject to certification, with the 90 criteria detailed in the Certification framework, and its appendix relating to security measures.
It will be up to the processor to identify the processing operation(s) and service(s) it wishes to submit for certification, being specified that only processing operations subject to the GDPR and carried out on behalf of clients also subject to the GDPR, may be certified.
As the CNIL points out, the Certification framework « follows a generalist approach to enable the certification of a wide variety of processing operations » regardless of the technology used or the business sector.
The public consultation remains open until February 28, 2025.