![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Since 2004, the CNIL has been entitled by the French Data Protection Act to grant seals—labels for products and methods of personal data processing designed in compliance with data protection law. The process must be initiated at the request of professional organisations and institutions.
But the certification process still had to be specified by the CNIL to make the data protection seal effective.
The long-awaited CNIL decision was published in September. It modifies the CNIL’s internal rules to determine the data protection seal process.
- A data protection seal committee is created within the CNIL to provide guidelines concerning the data protection certification; to establish the criteria required to obtain a data protection seal, and to evaluate the compliance of products and processes with these criteria
- The creation of a data protection seal can be requested only by a professional organisation or an institution. Such seal will be created if the CNIL deems that it is appropriate for the commission to do so. If such is the case, the CNIL will define the criteria that a product or process must follow to obtain the seal (“référentiel");
- Once the criteria have been determined for a type of product or process, a reference document is issued. Products and processes for which it is claimed for the benefit of the seal must follow a procedure of evaluation of compliance with the reference document.
o An application for a data protection seal can be filed by a single entity or by several entities if the use of the product or process will be gathered by these entities. In this last case, the application must include the commitment of each of these entities to maintain their collaboration for the duration of the seal.
o The application must include a description of the product or the process and its data protection objectives or guarantees.
o The CNIL analyses the admissibility of the application within two months and, in principle, communicates its decision to the applicant. Silence within these two months means that the application is rejected (e.g. the application does not contain all the information required).
o If the application is considered admissible, then the CNIL analyses whether the product or process complies with the criteria of the data protection seal. To do so, the CNIL can submit the product/process to certain tests; ask for the communication of any useful document, or interview any person entitled to provide useful information on the product/process concerned.
o The CNIL takes its decision to grant or not grant the data protection seal in plenary assembly. The decision is based on a report issued at the end of the appraisal process.
o The decision of the CNIL—whether positive or negative—is communicated to the applicant within eight days of the plenary assembly.
o When the data protection seal is granted, the CNIL specifies the conditions of use of the “CNIL seal” by the concerned entity.
The data protection seal is granted for three years and is renewable. Renewal is not automatic. The concerned entity must apply for a renewal six months before the end of these three years.
The data protection seal may be withdrawn if the CNIL gains knowledge of the fact that the product or process is no longer compliant with the criteria of the concerned data protection seal. In such a case, the CNIL notifies the concerned entity, which has one month to take corrective action. If it fails to do so, the data protection seal is withdrawn.
