What you should know about our standard on data protection training programmes

In the context of this CNIL privacy seal, is it the training which is certified or the trainer?

The CNIL’s privacy seal is delivered to the training course and not the trainer who delivers it.

Can I request a privacy seal from the CNIL for a training course that I produce within my organisation?

Yes, the CNIL's privacy seal can be delivered for internal training courses to the organisation.

Can I request a privacy seal from the CNIL for an e-learning training course?

Yes, the CNIL's privacy seal can be delivered for training courses given either in the classroom or via e-learning, providing they meet the requirements of the standard.

How many requirements does the standard present?

It lists 33 mandatory requirements, divided between the training method and the main content of the training course, and 44 optional requirements relative to supplementary modules.

What does the CNIL mean by requirements concerning the method?

The requirements concerning the method cover the conditions under which the educational content is created, delivered and updated.

What does the CNIL mean by requirements concerning the content of the training course?

The requirements concerning the content of the training course concern verification of compliance with the principles of the French data protection act described on the training material.

What does the CNIL mean by "explain" (see ES and EC)?

By "explain", the CNIL means the way in which the training course explains the concept  and the principle arising from the Act (at least the article of the Act and definition).

What does the CNIL mean by "ensure understanding" (see ES and EC)?

By "ensure understanding", the CNIL means the way in which the training course ensures that the learners understand the concept or the principle. It may consist of examples, details, case studies, quizzes…

Can an appendix act as evidence of several requirements?

Yes, the same appendix can justify several requirements.

Can I certify as many training courses as I want?

Yes. It is possible to certify an unlimited number of training courses. An application per training course should then be made.

Can I modify my training course while the certification is applicable?

It is possible to modify the training course while the certification is applicable. However, this modification must be reported to the CNIL. The certification committee then examines whether or not it is of a substantial nature.

If the modification made is indeed substantial, a new request for certification should be made.

Does the approach to compliance with the French data protection act (EM01) require the designation of a Personal Data Protection Officer?

This requirement aims to check that the applicant organisation does have a policy on the management of personal data and a reference person for these questions (who may or may not be the Personal Data Protection Officer).

Can I change trainers once the privacy seal has been delivered?

It is entirely possible to change trainers once the privacy seal has been delivered because it is the training course which is the subject of the privacy seal and not the trainer. If, during the request for the privacy seal, the applicant supplies the curriculum vitae of trainers as evidence that requirements are met, it must first send the curriculum vitae of the new trainer.

If, on the other hand, the initial request for a privacy seal contained non-nominative job descriptions, it will not be necessary to inform the CNIL of the change of trainer.

Can I have another speaker in addition to the trainer?

It is possible to have another speaker as well as the trainer on a very limited subject during a very short period (for example, 15 minutes concerning lessons learned from experience).

Can I use a service-provider or training firm to give my certified training course?

Yes, it is possible to use a service-provider to deliver a certified training course. However, the third-party service-provider, if it is not a co-holder of the privacy seal, cannot use the logo, but only mention that it "gives a training course certified by the CNIL".

What is a curriculum (EM 08 and 09)?

It is a study plan drawn up by the provider of the training service, which describes the objectives to be achieved, the content, the results of the training, the methods of teaching and learning and the evaluation process (see model)

How can I ensure that the trainers have given at least two training courses in the last two years (EM 13)?

These are not training courses followed but training courses given; for example, by listing the dates and places of these training courses.

What is meant by "reliable information" (EM 17)?

For the applicant, it means verification actions that it will carry out concerning the skills of its trainers (originals of diplomas, checking references…).