The certification process specified in the Data protection Act since 2004  still had to be specified by the CNIL to make the data protection seal effective.

The long awaited CNIL decision has been published on September 2011. It modifies the CNIL internal rules to determine the data protection seal process :

•     a data protection seal committee is created within the CNIL to provide guidelines concerning the data protection certification, to establish the criteria required to obtain a data protection seal and to evaluate the compliance of products and processes with these criteria ;
•     the creation of a data protection seal can be requested to the CNIL only by a professional organisation or an institution. Such seal will be created if the CNIL considers that it is appropriate for the Commission to do so. If such is the case, the CNIL will define the criteria that a product or process must follow to obtain the seal (« référentiel ») ;

 

•     once the criteria have been determined for a type of product or process a reference document is issued. Products and processes for the which it is claimed for the benefit of the seal, must follow a procedure of evaluation of compliance with the reference document :

• • an application for a data protection seal can be filed by a single entity or by several entities if the use of the product or process will be gathered by these entities. In this last case, the application must include the commitment of each of these entities to maintain their collaboration for the duration of the seal ;
  • the application must include a description of the product or the process and its data protection objectives or guarantees ;
  • the CNIL analyses the admissibility of the application within 2 months and, in principle, communicates its decision to the applicant. Silence within these 2 months means that the application is rejected (e.g. the application does not contain all the information required) ;
  • if the application is considered admissible then the CNIL analyses whether the product or process complies with the criteria of the data protection seal. To do so, the CNIL can submit the product/process to certain tests, ask for the communication of any useful document or interview any person entitled to provide useful information on the product/process concerned;
  • the CNIL takes its decision to grant or not the data protection seal in plenary assembly. The decision is taken on the basis of a report issued by a reporter at the end of the appraisal process;
  • the decision of the CNIL, wherever positive or negative, is communicated to the applicant within 8 days following the date of the plenary assembly ;
  • when the data protection seal is granted, the CNIL specifies the conditions of use of the « CNIL seal » by the concerned entity.

The data protection seal is granted for three years (renewable). Renewal is not automatic. The concerned entity must apply for a renewal 6 months before the end of these three years.The data protection seal may be withdrawn if the CNIL gains knowledge of the fact that the product or process is not compliant anymore with the criteria of the concerned data protection seal. In such a case, the CNIL notifies it to the concerned entity which has one month to take corrective action. If it fails to do so, the data protection seal is withdrawn.The CNIL will start with issuing seals for procedures of audits and for training programmes.

Pascale Gelly & Caroline Doulcet
Published in the Privacy Advisor the IAPP newsletter Oct 2011 Volume 11 n°8

www.legifrance.gouv.fr/affichTexte.do