back button

Back

Governance procedure of DIDOMI has been labelled by the CNIL

June 6, 2018byJulie Tamba

Just before the French Data Protection Authority ceased this activity, DIDOMI has obtained probably the last label delivered by the CNIL.

Under a decision 2018-240 dated 24 May 2018, the CNIL has acknowledged that the governance measures implemented by DIDOMI meet the requirements of the reference document in relation to procedures aimed at protecting personal data.

What is a label?

Label pre-May 25th

Under the French data protection act, the CNIL was authorized to grant labels to products and procedures aimed at protecting personal data.

One of these labels (among four) covers governance procedures of companies: it was created in 2014 to demonstrate compliance of such procedures with the French Data Protection Act then was amended in 2017 to demonstrate compliance of such procedures with the General Data Protection Regulation.

This label delivered to DIDOMI is the confirmation by the CNIL that the procedures we have implemented adequately protect personal data under the General Data Protection Regulation.

Certification post-May 25th

The GDPR expanded this French feature to the whole EU territory and gave new options in that regard. Now the certification could either be delivered directly by the Data Protection Authority (option 1) or by a private certification body on the basis of criteria approved by the Data Protection Authority (option 2).

The CNIL has decided to transform its activity, from option 1 to option 2, from the 25th of May onwards: although reference documents still remain in the hands of the CNIL, the certification operation itself will be realized by privacy certification bodies in accordance with European usual schemes of certification.

DIDOMI therefore obtained the last (or one of the last) label delivered directly by the Data Protection Authority itself, valid from 24th of May 2018 until 24th of May 2021 !

What does our label cover?

How we manage data related questions

The procedures we have implemented concern:

  • How we analyse our processing to make sure they comply with the GDPR: this includes a general analysis of compliance, a specific analysis of risks (Privacy Impact Assessment), a review of concerned recipients and contracts, etc. ;
  • How we ensure transparency with persons about what we do: this covers how we inform persons about our processing in our Privacy Center, how we disclose and update our commitments in terms of data protection and how we plan to notify the CNIL and the persons of any breach of personal data (hopefully we will never need this one!);
  • How we answer requests from the persons in relation to their rights: this covers a specific internal calendar and circuit making sure appropriate answers are brought to the person within appropriate deadlines ;
  • How we ensure the implementation and follow up of any data protection related matter: this includes methods to internally raise awareness of employees, regular meetings to review ongoing projects, record of our processing both as a data controller and as a data processor, annual audit and review of our procedures, etc.

How we comply with the GDPR

Basically all these procedures do not make us any better than any entity complying with the GDPR: in fact, they all aim – simply and plainly – at complying with the GDPR.

Why they do give us an advantage which deserves to be mentioned is very straightforward: because GDPR is quite complicated to implement and we have conceptualized a clear manner to optimize such implementation.

This sounds like nothing yet it is so useful to deal with this intricate regulatory framework!

What does it mean for our clients?

More protection

First of all, it means that clients can entrust us with their own personal data because we process it the best way we can!

New functionalities

Most importantly, this means that we will try to help them move towards even more compliance.

We are not selfish and are not planning to keep these procedures for ourselves: on top of the current functionalities we offer (flagships are our enhanced record, our consent management system and our Privacy Center) we will add new tools, new functionalities and new tips inspired from these procedures.

Our goal is to use our experience of privacy and technologies to make privacy management as simple as possible for companies, so stay tuned because there is much more to come!

Related articles

November 22, 2018byJulie Tamba

What CMPs can learn from the French data protection authority

On 30 October 2018, the French Data Protection Authority (the “CNIL”) issued a warning against a small company called Vectaury in relation to how this Ad Tech actor was collecting consent for geolocation-based advertising campaigns. On 8 November 2018, it decided to make this decision public notably because it is necessary to “raise awareness among…

Read more

CMP

CNIL

Consent

Cookies

France

GDPR

IAB

Sanction

Vectaury

Warning

February 9, 2018byJulie Tamba

(French) Consentement GDPR en pratique – Partie 3: les mineurs

Consentement des mineurs : une bonne chose de faite ? Mercredi 7 février 2018 a été adopté par l’Assemblée Nationale un amendement ajoutant à la loi Informatique et Libertés un article 7-1 relatif au consentement des mineurs au traitement de leurs données personnelles. Consentement lié à l’offre directe de services de la société de l’information aux enfants…

Read more

CNIL

Consent

GDPR

Informatique et Libertés

Minors

personal data