FAQ

How long is an approval as a certification body valid for?

Certification body approvals are valid for 5 years.

What is the difference between an approval and an accreditation?

In general, an approval is an administrative authorisation required to carry out an activity under regulatory control and an accreditation is a recognition by a third-party body of competence to carry out specific conformity assessment activities

An accreditation is issued by the CNPD under Article 15 (Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), which gives the CNPD the task of accrediting the certification bodies referred to in Article 43(1) of Regulation (EU) 2016/679.

Accreditation is defined as "an attestation issued by a third party, in relation to a conformity assessment body, constituting formal recognition of the competence of the conformity assessment body to carry out specific conformity assessment activities" (Definition taken from ISO/IEC 17000:2004. It is issued by a national accreditation body in accordance with the requirements of Regulation (EC) No 765/2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products.

Who can become a certification body?

Any organisation that meets the accreditation criteria for which it applies may be accredited as a certification body.

Where can I find information about certification bodies?

The list of certification bodies will be available on the CNPD website as soon as the first approvals have been granted.

How can I view the different data processing activities that have been certified?

The certificate issued by the approved certification body must contain all relevant information, including a detailed description of the treatments that have been certified. In addition, each mention of the certificate must be accompanied either by such a description, or by a link or reference to a site that contains this information. In all cases, communication regarding RGPD certification must be clear and transparent, avoiding any confusion or misleading communication regarding the scope of the certified processing operations.

Dernière mise à jour