France: CNIL adopts standards on DPO certification and accreditation
The French data protection authority ('CNIL') announced, on 11 October 2018, that it had adopted two standards on data protection officer ('DPO') certification and accredition framework for certification bodies, following a public consultation between May and June 2018. In particular, Deliberation No. 2018-318 of 20 September 2018 Adopting the Criteria of the Standard of Qualification of the DPO ('Deliberation No. 2018-318') adopted criteria standards on the certification reference system, setting out the admissibility requirements and a list of 17 required competencies to be certified as a DPO, and Deliberation No. 2018-317 of 20 September 2018 Adopting the Criteria of the Reference Framework of Accreditation of Certification Bodies for the Certification of the Competences of the DPO ('Deliberation No. 2018-317') adopts the accreditation framework, setting out the criteria for organisations that wish to be CNIL-certified and in turn certify DPOs according to the certification reference system.
CNIL highlighted that the certification scheme is voluntary, and certification is not required to perform the duties of a DPO. However, it also noted, with regards to accreditation bodies, that approval of CNIL is only mandatory for organisations intending to issue a DPO certification based on the standard developed by CNIL. Finally, the certification standards will be reviewed after two years, in which case, any modifications can be communicated to other European data protection authorities within the European Data Protection Board ('EDPB'), without retroactively affecting previous certifications.