All you should know about privacy seals

What is a privacy seal from the CNIL?

It is a recognition by the CNIL that a product or a procedure is compliant with the provisions of the French data protection act. This privacy seal is delivered with regard to a  standard adopted by the CNIL and published in the  “Journal officiel”.

What is the point of obtaining the privacy seal?

The privacy seal informs the public that the procedure or product proposed corresponds to the requirements of the Data Protection Authority. In this, it plays the role of  a confidence indicator. It does not aim to exempt its holders from administrative formalities.

What does a project or procedure that has CNIL’s privacy seal bring to me?

A privacy seal from the CNIL can improve the trust of users in the conditions for protecting their privacy provided by  some products or procedures.

It is also a competitive advantage for the organisations which have this privacy seal.

What legal texts is the certification procedure based on?

The CNIL's certification power arises from article 11 3 (c) of the Act dated 6 January 1978 amended.

The CNIL's internal regulations specify the applicable procedure.

Since the law relative to consumption dated 17 March 2014, the CNIL has been able to create new  standards at its own initiative.

What is a  standard?

It is a list of requirements defined by the CNIL that the product or procedure must satisfy in order to obtain the privacy seal. These requirements represent criteria for evaluating not only the compliance of a product or procedure, but also its value added with regard to the provisions of the French data protection act.

What are the conditions under which a product or procedure may be certified?

To be certified, the product or procedure must be compliant with one of the CNIL's  standards. These  standards go beyond the obligations specified by the Act.

What are the currently-available  standards?

4  standards currently exist. In 2011, the CNIL adopted a  standard for the audit procedures covering the processing of personal data, and one for "Data Protection" training courses. In 2014, the Data Protection Authority adopted 2 new  standards: one for digital  safe boxes and one for Personal Data governance procedures.

What is a processing audit procedure?

A processing audit checks the compliance of processing with the French data protection act. The procedure describes the various stages and processes according to which such an audit must be prepared, implemented and finalised. It also includes requirements relative to the organisation performing the audit, and the auditors themselves.

Can I obtain a privacy seal from the CNIL for the processing  carried out by my company?

No, the processing audit privacy seal delivered by the CNIL does not directly apply to processing  carried out. It applies to the audit procedure which is used to check that these processes are compliant with the French data protection act.

Can I request a privacy seal from the CNIL for my organisation's processing audit procedure?

Yes, the CNIL's privacy seal can be issued for processing audit procedures  carried out by service providers (consulting firms, lawyers, etc.,) or by organisations (in this case, we speak of an internal audit).

Can I request a privacy seal from the CNIL for a training course that I produce within my organisation?

Yes, the CNIL's privacy seal can be delivered for internal training courses to the organisation.

Can I request a privacy seal from the CNIL for an e-learning training course?

Yes, the CNIL's privacy seal can be delivered for training courses given either in the classroom or via e-learning, providing they meet the requirements of the  standard.

What is a digital  safe box ?

A digital  safe box differs from a storage space in that the data that is stored there (documents and  some meta data) is only accessible to the holder of the  safe box, and to any persons whom he/she may have mandated.

Who can apply for the digital safe box privacy seal?

Service-providers who carry out a digital  safe box (operators) or propose one to users (suppliers) may apply for the privacy seal. The request may therefore be made jointly by the operator and its customer (the supplier).

If it performs the role of supplier of the service to private individuals, the operator alone may make the request for the privacy seal in its name.

What is meant by "Data Protection Governance"?

It means all measures, rules and best practices for managing an organisation's personal data.

How does the Data Protection Authority assess the Data Protection Governance of an organisation?

The Data Protection Authority examines the compliance of the request for certification of the organisation with 25 requirements, all cumulative, in the  standard relative to three topics: internal organisation of the management of personal data; the procedure for checking compliance of processing with the Act; the management of complaints and incidents.

Who may request a privacy seal?

Anyone, whether a natural person or a legal entity, whose procedure or product corresponds to a  standard published by the CNIL.

How can one obtain a privacy seal?

If a  standard has already been published, the applicant sends their request in accordance with the form which is distributed on the Data Protection Authority's website. It must provide all elements for demonstrating that its procedure or product is compliant with the requirements of the  standard.

What should be done if no  standard corresponds to your procedure or product?

If there is no published  standard, you should contact a professional organisation or an institution mainly grouping data controllers who may make your request to the Data Protection Authority.

The Data Protection Authority may also, on its own initiative, create a new  standard if it reflects a market requirement as identified by various stakeholders.

What is the difference between a request for creation of a privacy seal and a request for delivery of a privacy seal?

A request for creation of a privacy seal corresponds to a request from professional organisations or institutions supporting the creation of a  standard on a new category of procedures or products.

A request for delivery of a privacy seal is a request made by an organisation (which may or may not be the organisation originating the creation of the  standard) to obtain a privacy seal for a procedure (or product) that it is implementing.

Can two separate entities which offer a common service make a request for a privacy seal?

Yes, then we speak of "joint privacy seal ". In return, they must undertake to maintain their collaboration.

How long does the procedure take for obtaining a privacy seal?

Examination of the application for certification takes place in two stages: the admissibility of the application and the  examination.

The CNIL has 2 months to analyse the admissibility of an application. Failing this, it is deemed to be admissible (the "DCRA" Act dated 23/10/2014).

The period of  examination varies according to the initial rate of compliance and the number of exchanges with the Data Protection Authority. The privacy seal must be delivered within 6 months from reception of the last elements necessary to satisfying the requirements of the  standard.

What is the procedure for  examining requests?

Exchanges may take place between the privacy seal division and the applicant to clarify some points in the application. When this is complete, it is presented to the certification committee, then in plenary session.

How is the privacy seal  granted?

The decision to deliver a privacy seal is made by the Data Protection Authority meeting in its plenary configuration. It is sent to the applicant, accompanied by personalised logos in the name of the holder of the privacy seal, as well as the regulations for using the brand, and it is published on the  CNIL’s website, then  on Légifrance.

Can one appeal a refusal by the CNIL to deliver a privacy seal?

There is no appeal procedure as such, even more so as refusal of a pivacy seal is not made public. However, as in all decisions by the CNIL, it is possible to appeal to the  Conseil d’Etat within two months to obtain cancellation.

During what period of time can one claim assignment of the privacy seal?

The privacy seal is delivered for three years.

What should be done when the three-year deadline expires?

A request to renew the privacy seal must be made at least 6 months before its expiry date.

What should be done if the product or procedure is modified during the validity period of three years?

It should be reported to the CNIL, which will assess whether or not the modification is substantial. If it is considered important, it may require new evaluation of the compliance of the product or procedure with the  standard.

Does the holder of a CNIL’s privacy seal have any obligations to the Data Protection Authority?

The obligations of the holder are described in the  standard, in the decision delivering the privacy seal and in the usage regulations which are sent to them (for example, the transmission of an activity report after the first year; unequivocal use of the personalised logo,…).

Does the Data Protection Authority check that the holder is always in compliance with the requirements of the privacy seal?

Yes. The CNIL may check at any time and by any means that the certified product or procedure complies with the conditions defined in the  standard.

Can one report a breach of obligation under certification to the CNIL?

Yes. Anyone can report it to the CNIL, particularly via the dedicated address label@cnil.fr

Can the CNIL withdraw a privacy seal?

Yes. In this case, the Chairman of the CNIL first informs the holder of the elements that call the privacy seal into question. The holder has one month to respond. If no satisfactory information has been communicated to the CNIL, a rapporteur is designated to explain the facts to the Data Protection Authority, which decides whether or not to withdraw the privacy seal.

Does refusal to deliver or withdrawal of a privacy seal mean that the applicant/holder is not in compliance with the French data protection act?

No. Refusal/withdrawal indicates that the product or procedure does not, or no longer, complies with the requirements of the  standard defined by the CNIL, which goes beyond the requirements of the Act (for example: experience of auditors in the context of the audit procedure).

How is it possible to know whether a product or a procedure is certified?

On its Internet site, the CNIL keeps an up-to-date list of products and procedures that are certified, with the identity of their holders. Furthermore, the holder may use the CNIL privacy seal logo.

Can the  standard change?

Yes, the CNIL may decide to modify its  standard. In this case, the privacy seals granted according to the old  standard remain valid. However, when it makes its request for renewal, the holder must show that the product or procedure complies with the new  standard adopted by the CNIL.