France: Data Protection Authority for France opened consultation on evaluation framework pertaining to GDPR certification of subcontractors

On 23 December 2024, the French Data Protection Authority (CNIL) opened a public consultation on the evaluation framework of the General Data Protection Regulation (GDPR) certification of subcontractors, until 28 February 2025. The framework seeks to help organisations demonstrate GDPR compliance in outsourcing. The certification applies to processors, such as information technology service providers and marketing agencies, processing personal data on behalf of controllers, with a focus on small and medium enterprises. It includes 90 control points covering contractualisation, security measures, data processing, termination, and action plans over a three-year renewable certification period. Assessments will evaluate operational compliance with CNIL-recognised standards.