4. The French Privacy Seal Scheme: A Successful Test

Commission Nationale de l’Informatique et des Libertés (CNIL) is the French Data Protection Authority. Created in 1978, CNIL is an Independent Administrative Authority that exercises its functions in accordance with the French Data Protection Act.

French Act 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (French Data Protection Act).

French Data Protection Act of 1978 amended 6 August 2004.

Decision n° 2011-249 of 8 September 2011 (now amended by Decision n° 2013-175 of 4 July 2013).

www.​cnil.​fr/​en/​privacy-seals; www.​cnil.​fr/​fr/​les-labels-cnil. Accessed 30 April 2017.

Act 2014-344 of 17 March 2014 (French Consumer Protection Act). The Hamon Act also explicitly introduced into the French Data Protection Act (Article 11-3c) a provision for CNIL to be able to verify that the conditions for receiving the privacy seal are maintained, and to withdraw the privacy seal if necessary.

Data protection training is a process intended to produce and develop knowledge, know-how and behaviour necessary to compliance with the French data protection act. The said process may take place over several days and include several modules which are independent of each other. The standard defines the criteria and resources enabling the data protection authority to determine whether the training courses for which a privacy seal is requested, achieve such an objective. It includes two parts corresponding to both phases of the evaluation performed by the data protection authority and which cover: the training activity (requirements concerning the method) and the content of the training course (with a main module of fundamental knowledge that the training course must at least include in its curriculum to apply for certification and supplementary modules, that the training course may also include in its curriculum).

A “Data Protection” audit is an audit whose criteria enable judgement of the compliance of processing personal data with the Act No. 78-17 dated 6 January 1978 (French data protection act) amended by the Act No. 2004-801 dated 6 August 2004. The scope of such an audit concerns the processing of personal data implemented within a defined scope, not only in terms of places, organisational units, activities, processes or time periods covered, but also in terms of types of processing or specific processing. The audit procedure describes the conduct, management and content of audits, as they are implemented by the applicant. The complete terminology is presented in the following pages. To this end, the present standard defines the criteria for evaluation relating to the manner of conducting an audit and the processing of personal data during the audit.

The digital safe box, as understood in this standard, covers offers made to individuals concerning services for the dematerialised and secure storage of data, the aim of which is to keep documents on digital media. Digital safe boxes must ensure the integrity, availability and confidentiality of stored data and implement appropriate security measures. A digital safe box is distinguished from an ordinary storage space by the fact that the data retained, including stored documents and their meta data, is accessible only to the holder of the safe box and, where applicable, natural persons whom the holder has specifically authorised for this purpose. The present standard describes the procedures for creation and management, and the content of digital safe boxes. It defines the criteria and the resources allowing the Data Protection Authority to determine whether the digital safe boxes subject to the privacy seal request reach the target objective, namely: the secure retention and protection of personal data contained in a safe box, which will be accessible only to its user and natural persons specifically mandated by the latter.

The governance of personal data protection, also known as “Privacy Governance”, establishes the set of measures, rules and best practices that allow for the application of laws and regulations on the handling of personal data as well as provide the specific liabilities inherent to this handling. This privacy seal intends to help private and public organisations implement personal data protection measures and help them be accountable accordingly for their measures. This standard defines the assessment criteria and the means at the Commission’s disposal for the assessment of privacy governance procedures’ effectiveness in protecting personal data, which is the objective of this privacy seal. 

See Sect. 4.6.

Application processing is the second step in the scheme.

See implementation orders for French Act 2000-321 of 12 April 2000 on citizens’ rights in their dealings with public bodies (referred to in France as the “DCRA” Act).

See Decree 2014-1278 of 23 October 2014.

It could be rejected if CNIL’s plenary session considers that the application does not fulfill all the mandatory requirements.

A seal could be withdrawn if the conditions that allowed for the accordance of the privacy seal are no longer fulfilled.

www.​cnil.​fr. Accessed 30 April 2017.

In August 2016, CNIL delivered 88 seals in total for 110 applications received.

Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC; Article 5.2.

Opinion 3/2010 on the principle of accountability adopted in 13 July 2010 by the Article 29 Data Protection Working Party.

Group of European Data Protection Authorities.

French Regulations governing use of the Collective Mark “CNIL seal” approved by CNIL on 14 June 2012.

Such as a better acknowledgment of the expertise in the industry.

As the seal is increasingly being well-recognised, a lot of tender procurement policies for data protection trainings or audits now require the CNIL seal.

In France, we have an equivalent called a “Correspondant Informatique et Libertés (CIL)”.

French Regulations governing use of the Collective Mark “CNIL seal” approved by CNIL on 14 June 2012.

Different sizes and different colors (blue, white and red or black and white) for several uses.

Ibid.

Small and Medium-sized Enterprises.

Seventy-six people completed the survey. It was launched between September and November 2014.

Note: 20% of the respondents did not answer this question.

French Act 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (French Data Protection Act).

Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

Article 42 and Recital 100 of the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

The European Data Protection Board will be set up as an independent body of the Union with legal personality. It will replace the Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Directive 95/46/EC. It will consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Board will contribute to the consistent application of the GDPR throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union.