How do I get certified?

What is the procedure of certification?

For the applicant, the procedure is divided into three stages:

1. Send the application to the certification body

The application must be sent to the certification body accredited for the certification sought by the applicant. The applicant must specify what the object of certification is, for example, a account-viewing and management service of an online bank account. Before the certification body begins to process the application, it assesses its admissibility (Is the object of the request eligible for certification? Is the object to be certified compatible with the criteria of the requested certification?).

2. The evaluation of the application

The certification body assesses the object to be certified with the criteria approved by the CNIL (or the EDPB). Depending on these criteria, this evaluation may be carried out in two phases with:

• A documentary review and interviews conducted remotely;
• An on-site visit to the applicant’s premises to verify that the applicant has put in place the relevant data protection measures.

These assessment procedures shall be specified by the certification body from the beginning of the review of the application.

3. Issuance of the certificate

At the end of the assessment, where the certification body concludes that the object to be certified met the criteria, the certification body shall issue a certificate to the applicant.

Example: The certification body will certify that the ‘MyBankOnline’ account-viewing and management service of the ‘MyBank’ company has been assessed and is compliant with the ‘Service – banking sector’ certification criteria.

At the end of these three steps, a compliance monitoring is set up by the certification body. It will apply throughout the period of validity of the certificate.

In the event of substantial change in the processing operations, a change of information on the certificate, or an event likely to call into question the outcome of previous assessments, the certification body may decide to carry out an additional assessment at any time in accordance with the conditions laid down in its certification procedure. 

How can I become an accredited certification body?

In order to carry out the activity of a certification body, you need to be able to demonstrate independence, no conflicts of interest and expertise. Only accredited certification bodies are authorized to certify on the basis of criteria approved by the CNIL (or the EDPB).

Accreditation also requires the development of a methodology for assessing the certification criteria. This methodology will be the one used for the assessment of each applicant for certification. Evaluated during the accreditation process, it ensures the consistent and systematic application of the certification criteria, irrespective of the certification body. The certification body must therefore apply for accreditation for each certification mechanism in order to be authorized to issue certificates.

The evaluation of the certification body is carried out on the basis of the accreditation requirements approved by the CNIL. This accreditation may be issued by the CNIL or by the French Accreditation Body (Cofrac). An agreement signed on 20th May 2020 between the CNIL and the national accreditation body sets out the terms of this cooperation. 

Send an application to become an accredited certification body the CNIL

(page not translated)