GDPR certification of subcontractors: a major step forward for data protectionIn a constantly evolving digital world, the protection of personal data has become a crucial issue for companies. The French National Commission for Information Technology and Civil Liberties (CNIL) has just taken an important step by launching a GDPR certification initiative for subcontractors. This approach promises to significantly simplify the process of selecting trusted partners for data processing, while strengthening compliance with the General Data Protection Regulation (GDPR).
A response to the challenges of data outsourcing
Outsourcing data management is a common practice for many companies. Whether it’s hosting service providers, marketing agencies or software publishers, these subcontractors play a crucial role in the processing of personal data. However, this practice is not without risk. Article 28 of the GDPR requires data controllers to ensure that their subcontractors provide “adequate guarantees” regarding data protection. This obligation, while necessary, can be complex to implement and can sometimes hinder potential collaborations.
The CNIL takes the lead with a dedicated certification
To meet this challenge, the CNIL has launched an ambitious initiative: the creation of a GDPR certification specific to subcontractors. This approach aims to simplify the process of selecting trusted partners for data controllers. The CNIL has opened a public consultation that will continue until February 28, 2025. This consultation phase allows all stakeholders – subcontractors, DPOs, data controllers – to contribute to the process by answering six key questions1This relatively tight schedule suggests that the first certifications could be issued as early as 2025, marking rapid and concrete progress in the field of data protection.
Certification accessible to a wide range of stakeholders
One of the most promising aspects of this initiative is its inclusiveness. The certification will be accessible to all private companies and public bodies established in Europe that process personal data on behalf of third parties.3.Certified subcontractors will benefit from a recognition valid for three years, renewable. This duration ensures continuous compliance while offering significant stability to certified companies. A particularly interesting point is the flexibility of the certification scope. Candidates will be able, in agreement with the certification body, to define the scope of their certification. This means that it will be possible to obtain certification for a specific service, thus allowing fine granularity in the assessment of conformity.3The CNIL has specified that while turnkey services will be particularly targeted, tailor-made solutions will not be left out and will also be able to apply for certification. This inclusive approach should allow a wide range of service providers to promote their commitment to data protection.
An ambitious benchmark of 90 criteria
To ensure the robustness and relevance of this certification, the CNIL has developed a reference framework comprising 90 evaluation criteria.5These criteria cover the entire life cycle of data processing, from the contractualization with the data controller to the closure of the processing, including preparation and implementation. The four main stages of the framework are:
- Contractualization with the data controller
- Preparation of treatment and associated safety measures
- Implementation of the treatment
- Closing of treatment
A fifth step, concerning the action plan to be followed during the certification period, completes this system. This global approach ensures a complete and continuous assessment of the compliance of subcontractors. The draft reference document, although not final, is already available on the CNIL website5It provides a detailed overview of the 90 criteria, allowing stakeholders to familiarize themselves with the certification requirements and prepare for them in advance.
A balance between ambition and accessibility
The CNIL has clearly expressed its ambition to create a certification "which sets an ambitious level while remaining accessible to subcontractors who agree to engage in a process of improving their maturity in terms of data protection"3This balanced approach is crucial. It aims to raise the general level of data protection while avoiding creating insurmountable barriers for market players, particularly SMEs and small structures. Indeed, the CNIL has stressed the importance of mobilizing small and medium-sized enterprises in this certification process.6These structures, often limited in their means dedicated to compliance, will be able to find in this certification a valuable tool to strengthen the confidence of their customers and partners.
Implications for the future of data processing
The launch of this GDPR certification of subcontractors by the CNIL marks a turning point in the European data protection ecosystem. It promises many advantages:
- Simplification of the choice of subcontractors for data controllers
- Building trust among market players
- Encouragement of continuous improvement of data protection practices
- Supporting SMEs in their compliance efforts
- Contribution to the establishment of a climate of general trust around digital exchanges
Ultimately, this initiative could lead to a significant increase in consumer confidence in digital services, benefiting the entire sector.
Conclusion
The GDPR certification of processors launched by the CNIL represents a major step forward in the field of personal data protection. By simplifying the process of selecting processors while ensuring a high level of compliance, this initiative promises to streamline relations between data controllers and processors, while strengthening the protection of European citizens' data. While the public consultation continues, all players in the sector are encouraged to participate in order to help shape a framework that will best meet the needs of the market while respecting the requirements of the GDPR. Time will tell whether this certification will become an essential standard in the European digital landscape, but it already represents an important step towards better protection of personal data.