GDPR certification for subcontractors: a new standard of trust in preparation

Do you process personal data on behalf of your customers? The CNIL is opening a public consultation, until February 28, 2025, on a GDPR certification framework that could redefine your commercial relationships. This initiative represents a strategic opportunity to strengthen your competitiveness by promoting impeccable compliance and meeting the growing requirements for transparency and data security.

On December 23, 2024, the CNIL heralded the opening of a public consultation on a draft repository evaluation for the GDPR certification of subcontractors. This initiative responds to a crucial challenge: to strengthen the transparency and compliance of the processing of personal data carried out on behalf of data controllers. In a market where data protection is a key element of customer trust, subcontractors, especially SaaS providers, have everything to gain by engaging in this approach.

In accordance with article 28 of the GDPR, subcontractors must provide sufficient guarantees as to their ability to comply with regulatory requirements. This certification project is based on 90 key criteria covering the entire life cycle of personal data processing: contracting, implementation of security measures, execution, end of processing, and continuous improvement plan. Businesses can choose which services or treatments they want to certify, thus offering flexibility adapted to their needs. For IT service providers, such as SaaS providers, or even ESNs, marketing or communication agencies, etc., this certification is particularly relevant to promote their “turnkey” solutions or their innovative services.

However, not preparing for this evolution could expose subcontractors to significant risks. Certification could quickly become a standard expected by data controllers, especially during tenders. Without certification, businesses risk losing business opportunities or being pushed out of the most demanding markets.

To anticipate these changes, it is recommended that a preliminary assessment of internal data protection practices be carried out. Participate in the public consultation, open until February 28, 2025, not only makes it possible to influence the final criteria, but also to better understand regulatory expectations. At the same time, it is essential to establish or strengthen procedures for incident management, treatment documentation and collaboration with subsequent subcontractors. For example, transparency obligations on data transfers outside the EU or the technical and organizational security measures required by the standard are all critical points to anticipate in order to avoid denials of certification.

This GDPR certification represents a strategic opportunity for subcontractors to strengthen their position on the market while meeting the growing expectations of data controllers. Preparing for it now is an essential step in order to avoid shortcomings that could affect their competitiveness.

For any questions or support, do not hesitate to contact us by writing to cchance@squairlaw.com.

‍

Caroline Chancé, partner lawyer at Squair