‘GDPR compliance’ claims by IT tool suppliers should be taken with a pinch of salt.
First of all, the term ‘GDPR compliance’ has no binding definition, and anyone can interpret it as they please. Typically, these claims are not based on a formal audit, adherence to an official code of conduct or a certified standard, but rather on company’s self-assessments. As such, they should be seen more as advertising than as proof of actual legal compliance.
Compliance with the GDPR is not a ‘nice to have’ feature - it is a legal obligation. Any supplier established in the EU or processing the personal data of EU citizens is required to comply with the GDPR. Advertising compliance with legal requirements is, at best, unconvincing – it highlights nothing beyond that the company is following the law, which should be a given.
To illustrate: Imagine a public transport service promoting the fact that its drivers hold valid licenses – would you really feel more reassured and think that this makes their service more trustworthy?
Whether a tool or supplier meets CERN’s data privacy requirements - such as those outlined in OC 11 - does not depend on claims of GDPR compliance. It must be carefully assessed based on substantial factors, such as the intended purposes of data processing, the tool’s features, the supplier’s guarantees and services, the contractual terms, and whether the supplier uses CERN’s personal data for its own purposes.
Finally, the GDPR is not applicable to CERN. Therefore, ‘GDPR compliance’ - regardless of how it is defined - is irrelevant.
In a nutshell, you should ignore such claims and apply due diligence to assess whether the tool and supplier meet the conditions needed for OC 11-compliant processing of personal data.