France: Data Protection Authority for France closes consultation on evaluation framework pertaining to GDPR certification of subcontractors

On 28 February 2024, the Data Protection Authority for France (CNIL) closes its public consultation on the evaluation framework of the General Data Protection Regulation (GDPR) certification of subcontractors. The framework seeks to help organisations demonstrate GDPR compliance in outsourcing. The certification applies to processors, such as information technology service providers and marketing agencies, processing personal data on behalf of controllers, with a focus on small and medium enterprises. It includes 90 control points covering contractualisation, security measures, data processing, termination, and action plans over a three-year renewable certification period. Assessments will evaluate operational compliance with CNIL-recognised standards.