Published on 1 November 2011 by Laure Marolleau

The French data protection authority launches its certification process

Companies that comply with the legislation on the protection of personal data in relation to data processing audit procedures and privacy training may now lodge an application with the Commission Nationale de l’ Informatique et des Libertés (French Data Protection Authority or hereinafter the “CNIL”) in order to obtain a privacy seal. The privacy seal granted by the CNIL will serve as a proof that the procedures implemented by these companies comply with the provisions of the Loi Informatique et Libertés (literally the Law on Information Technology, Data Files and Civil Liberties, hereinafter the “Data Protection Act”)

CNIL’s certification process

In 2009, the Data Protection Act had been amended to address a new assignment vested in the CNIL, certification. Certification and the grant of privacy seals is made by the CNIL, at the request of professional organizations or institutions that mainly comprise data controllers.

The Data Protection Act stipulates that the CNIL may issue a privacy seal in relation to ”products or procedures intended to protect individuals with respect to the processing of personal data, once it has recognized them as in compliance with the provisions of the Act.”

Yet, until now, the CNIL had not determined the terms and conditions in which privacy seals could be applied for and, as the case may be, granted.

It was only on September 8, 2011 that the CNIL amended chapter IV “Certification Process” of its internal rules and policies in order to lay down the conditions in which it would exercise its newly vested privacy seal award power.^[1]

The CNIL thus defined the procedures to be implemented, e.g. the setting of baseline evaluation standards, in order to evaluate applicants’ products or procedures and determine whether the privacy seal should be granted.

Creation of a CNIL’s privacy seal

The first step in the CNIL certification process is to establish “baseline standards defining the features that must have a product or a procedure to be recognized as complying with the provisions of the Data Protection Act”.

A baseline standard consists of a list of requirements that a product or procedure must meet to be granted a privacy seal.

On November 3, 2011, the CNIL adopted the first two evaluation baseline standards. Such standards apply to:

1) Companies specialized in personal data processing audit procedures^[2].

The aim of a data processing audit is to verify the compliance of the data processing procedure(s) applied by a corporate client with the provisions of the Data Protection Act. This audit procedure can be conducted either by external service providers (consultants, lawyers, etc.) or internally by the company itself. The baseline standards describes the manner in which the audit must be prepared, conducted and completed. It also includes requirements applicable to the organization conducting the audit and to the auditors themselves.

2) Companies that conduct privacy training programs on topics addressed by the Data Protection Act (protection of liberties and privacy matters)[1].

This standard defines the requirements to be met by trainers, the rules applicable to the conduct of the training program and to the content of the training program itself.

These two baseline standards have been developed at the request of professional organizations, i.e. the so-called EBIOS Club (community of experts specialized in risk management) and the Association Française des Correspondants aux Données Personnelles (French association of Data Protection Officers). As indicated, the request for the creation of a baseline standard may be filed either by a professional organization or institution that mainly comprises data controllers. Basically, a request is made to CNIL to adopt a new baseline standard on a specific category of products or procedures but the CNIL has no obligation to grant such a request.

Thanks to the privacy seals that may be issued by the CNIL on the basis of the baseline standards , consumers and users will be able to identify (and, therefore, potentially opt for) products or procedures that guarantee a high level of protection of personal data. The CNIL privacy seal serves as some sort of “confidence indicator” For companies, the interest is clearly to differentiate themselves from competitors through the quality of offered products or procedures.

The adoption of these two baseline standards covering data processing audit procedures and privacy training is less about certifying products or procedures intended for consumers than certifying organizations responsible for verifying due compliance with French data protection and privacy rules. Yet, this is just a first step in the CNIL certification process. Other baseline standards will soon be developed. The next one should concern software and IT systems.

As a result, any organization, whose data processing audit procedure or privacy training programs meets the baseline standards adopted on November 3, 12011 may now file an application to be granted a privacy seal from the CNIL.

Grant of privacy seals by the CNIL

In practice, to apply for the grant of privacy seal by the CNIL, applicants must download the application file from the CNIL’s website (www.cnil.fr), fill it out and send it back (by post mail or email) with all the required information.

The CNIL has then two months to examine whether the application file should be accepted. It must notably make sure that the product or procedure for which the privacy seal is sought complies with the requirements set forth in the relevant baseline standard. Once the privacy seal has been granted, it shall remain effective for a period of three years and may be renewed within six month before its expiry date.

The organization to which the privacy seal has been granted may then use the “privacy seal CNIL” logo:

The decision to grant, withdraw or renew a privacy seal are made public and the CNIL must make available on its website the list of products and procedures for which a privacy seal has been granted. This list must indicate the name of the holder of the privacy seal as well as the date of expiry of the seal.

[1] Deliberation no 2011-249 of September 8, 2011 amending Article 69 of CNIL’s internal rules and policies and creating Chapter IV bis entitled “Certification process”

[2] Deliberation n°2011-316 of October 6, 2011 for the adoption of a baseline standard for the grant of privacy seals in relation to data processing audit procedures intended to protect individuals with respect to the processing of personal data, published in the Official Journal on November 3, 2011.

[3] Deliberation n°2011-315 of October 6, 2011 for the adoption of a baseline standard for the grant of privacy seals in relation to privacy training programs intended to protect individuals with respect to the processing of personal data, published in the Official Journal on November 3, 2011.