What you should know about our standard on data protection governance


What is meant by "Data Protection Governance"?

It means all measures, rules and best practices for managing an organisation's personal data.

How does the Data Protection Authority assess the Data Protection Governance of an organisation?

The Data Protection Authority examines the compliance of the request for certification of the organisation with 25 requirements in the standard relative to three topics: internal organisation of the management of personal data; the procedure for checking compliance of processing with the Act; the management of complaints and incidents.

Who may apply for this privacy seal?

All organisations, whether private or public, independently of their size and their activity sector, must designate a Personal Data Protection Officer, who may be a natural person or a legal entity, internal or external to the applicant organisation, whether shared with others or not.

Does the Personal Data Protection Officer have a specific description?

It must be an extensive description, meaning that the DPO must be able to exercise its duties concerning all processing implemented by the data controller.

Are all of the requirements of the standard mandatory?

Yes, the 25 requirements are cumulative.

Can the privacy seal be withdrawn in case of  personal data breach?

Only non-compliance with the conditions for the delivery of the privacy seal (meaning the requirements of the reference framework) may entail withdrawal. Consequently, in case of a personal data breach, if the procedure described in EG 05 and 06 is complied with, the privacy seal would have no reason for being withdrawn as it covers the quality of the procedures in place.

How does one proceed with a change of Personal Data Protection Officer during the period of the certification?

In case the Personal Data Protection Officer is absent for more than one month, the holder of the privacy seal shall first ensure that they internally designate a person intended to temporarily replace the Personal Data Protection Officer in their duties, particularly with regard to the requirements of the Governance  standard.

In case of the departure of the Personal Data Protection Officer (resignation, discharge from duties,…), the holder of the privacy seal must ensure that a new Personal Data Protection Officer succeeds the old one within a maximum period of one month and must ensure that the new Personal Data Protection Officer satisfies, within this period, all criteria concerning him/her in the Governance standard (training, positioning, status, duties,…). As a reminder, article 54 of the decree dated 20 October 2005 amended specifies that when the officer resigns or is discharged of his/her functions, the data controller shall inform the CNIL.