Certifications and Codes of Conduct


    Certifications and Codes of Conduct

    Certification schemes and Codes of conduct are established under the GDPR as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.

    Last Updated: July 30, 2019

  • Certifications

    Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.

    On October 11, 2018, the CNIL adopted 2 sets of guidelines on DPO certification in accordance with its domestic law, not the GDPR. These include:

    • a certification reference system that sets the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO; and
    • an accreditation framework that sets out the criteria applicable to organizations wishing to be authorized by the CNIL to certify the DPO’s competencies on the basis of the certification reference system developed by the CNIL.

    The certification would be applicable only to the French territories. CNIL certification is not required to perform the duties of Data Protection Officer. Nor is it a necessary prerequisite for appointment to the CNIL. Conversely, there is no requirement to be nominated as a delegate to be a candidate for certification of the DPO skills. This is a voluntary mechanism that allows individuals to demonstrate that they meet the requirements of the DPO skills and expertise set out in the GDPR.

    DPO Certification Criteria

    In order to become eligible candidates for the certification test, the individuals must have at least 2 years of professional experience in projects, activities or tasks related to the tasks of the DPO regarding the protection of personal data; or have at least 2 years of professional experience and at least 35 hours of training in the protection of personal data received by a training organization.

    The test consists of a multiple choice of at least 100 questions. The passing point is for 75% of correct answers overall (and at least 50% correct in each of 3 test categories). Certification is valid for 3 years. The CNIL will not issue DPO certification itself, instead, it is the certifying bodies, once they have been approved by the CNIL, who will issue the certification to those who meet the prerequisites and who pass the written test. Certification will only be possible once the first approvals have been issued by the CNIL to the certifying bodies.

    Accreditation Criteria for Certification Bodies

    Pending the development of a specific accreditation program for DPO certification with COFRAC, certification bodies seeking CNIL approval must be accredited by an accreditation body with regard to the ISO / IEC 17024: 2012 ( Conformity assessment – General requirements for certification bodies performing certification of persons ) in an existing field. Organizations that are not accredited under ISO / IEC 17024: 2012 are invited to approach COFRAC to request the development of a specific accreditation program for DPO certification. The development of such a program will be done in collaboration with the CNIL. The approval of the CNIL is only mandatory for organizations wishing to issue a DPO certification based on the standard developed by the CNIL . This means that any organization can nevertheless certify DPOs on the basis of its own certification reference system, not approved by the CNIL, as it is already the case today.

  • Codes of Conduct

    The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are strong accountability and compliance indicator towards the regulator, public, and business partners.

    French Data Protection Authority, the CNIL, is currently advising on a dozen codes of conduct that are being prepared, including those focusing on medical research and so-called “cloud” infrastructures.

    Related Resources

    France Codes of Conduct Resources

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.