France Prepares New Certification Framework for Data Processors Under GDPR

France introduces GDPR certification framework to improve trust in data processors across Europe

The National Commission on Informatics and Liberty (CNIL) has finalised its consultation on a draft evaluation framework for certifying data processors.

Scheduled to close on 28 February 2025, this framework aims to help data controllers identify trusted processors who comply with General Data Protection Regulation (GDPR) requirements.

The certification, once established, will be available to any organisation across Europe that processes personal data on behalf of a data controller.

The draft framework sets out 90 control points across different stages of data processing, ensuring that certified processors adhere to strict security and privacy requirements.

The goal is to bring greater transparency and accountability to an industry where data processing services play a crucial role in handling personal information securely.

GDPR Certification for Data Processors: the CNIL launches consultation on a draft evaluation scheme

Facilitating Demonstration of GDPR Compliance in a Data Processing Context The data processor and the data controller are bound by certain obligations under the GDPR.

Home

Certification Structure and Key Requirements

The certification process is structured around five key parts, covering the entire lifecycle of data processing. These include:

1. Contracting – Ensuring that agreements between data controllers and processors include GDPR-compliant terms, particularly around security obligations and liability.
2. Preparing the Processing Environment – Verifying that data processors implement adequate security measures before processing begins, including encryption and access controls.
3. Processing Implementation – Ensuring that data handling meets the highest standards of security, confidentiality, and lawful processing.
4. Processing Completion – Defining clear procedures for data deletion, retention policies, and accountability for any data shared with third parties.
5. Action Plans During the Certification Period – Requiring organisations to demonstrate ongoing compliance, with regular audits and updates to security protocols.

These structured steps aim to ensure clear accountability and high operational standards for data processors handling personal information.

The certification will provide an independent benchmark for compliance, helping data controllers select trustworthy partners in an increasingly complex data landscape.

Impact on Data Processors and Compliance

For businesses operating as data processors, the new certification could offer a competitive advantage, distinguishing certified providers from those without formal recognition.

The framework's comprehensive evaluation process ensures that only organisations with strong data protection policies will qualify.

For data controllers, the certification simplifies the due diligence process when selecting processors. Instead of conducting individual assessments of each provider’s compliance measures, controllers will be able to rely on CNIL’s certification as a trusted indicator of GDPR adherence.

Additionally, the certification introduces a new layer of accountability by requiring continuous monitoring of compliance efforts. Organisations that fail to uphold GDPR requirements may lose their certification, reinforcing the importance of maintaining high standards throughout their operations.