What is a Data Protection Officer (DPO) ?

0 25

The Data Protection Officer (DPD) or the Data Protection Officer (DPO), accompanies and advises the person responsible for processing personal data in the process of complying with the texts in force [1].

The authorities in charge of monitoring the application of the General Regulation on Data Protection (GRDP) are, in France, the Commission nationale de l'informatique et des libertés (CNIL) (each European state has a national supervisory authority) and, at the European level, the European Data Protection Committee (EDPS). 

The designation of a DPO is mandatory for companies whose "core business involves large-scale data processing that requires systematic and regular monitoring of individuals".

Failure to designate a DPO, even though it is mandatory, can be sanctioned by the CNIL with an administrative fine of up to 2% of worldwide turnover or €10,000,000.

The designation of a DPO is strongly recommended even if it is optional according to the GRDP since the absence of designation of a DPO must be the subject of a documentation relating to this choice which can be required in the event of control.

A DPO can be internal (employee in function or recruited to this position) or external (service provider) to the company. A single DPO may be appointed for the entire group. The identity of the DPO must be communicated to the CNIL.

A DPO must carry out certain missions relating to data protection and perform his or her duties with independence and confidentiality.


1.           Conditions for the appointment of a DPO

Any controller or processor must appoint a DPO if [2] :


a.           Common condition :

"Its core activity involves large-scale data processing". 

Core business" should be understood as the set of essential activities that will enable an entity to carry out its core business; its core activity. 

Conversely, not all of an entity's "core activities" are all of its support activities, which are traditionally common to all entities (the management of employee compensation, for example)[3].

« Large-scale processing" is assessed according to the number of people impacted, the volume of data and the duration and scope of the processing. 


b.     Specific conditions :

i.        Regular and systematic monitoring of the persons concerned

If, in addition to the common requirement, data processing requires systematic and regular monitoring of individuals, then the designation of a DPO is mandatory.


Monitoring is "regular" if it is: continuous or occurs at regular intervals over a period of time; recurring or repeating at fixed times; occurring consistently or periodically [4].

Monitoring is "systematic" if it: occurs in accordance with a system; is pre-planned, organized or methodical; occurs as part of a general data collection program; and is carried out as part of a strategy.

Examples of treatment requiring "regular and systematic monitoring:

- Geolocation and Video-surveillance ;

- Connected devices ;

- Marketing activities based on profiling and monitoring of an individual's activities (targeted e-mails, behavioral advertising, etc.) [6]. 


ii.                Or the processing of particular categories of data

If, in addition to the common requirement, the data processing concerns sensitive data or data relating to criminal convictions or offences, then the designation of a DPO is mandatory.

Sensitive data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, health data and data concerning sex life or sexual orientation[7].


b.           Penalty for failure to designate a mandatory OPD :

The CNIL pronounces gradual sanctions: warning or formal notice to the organization; injunction, order to cease the violation of the DPO; limitation or temporary suspension of data processing; administrative sanctions if the previous injunctions have been unsuccessful [8].

In the case of failure to designate a mandatory DPO, the amount of the administrative fine may be up to €10,000,000 or, in the case of a company, up to 2% of the total worldwide annual turnover of the previous year, whichever is higher.


d.     Recommendations of the Supervisory Authorities (CNIL and CEPD) :

Regardless of whether designation is mandatory or not, the European Data Protection Board (EDBP) recommends in its guidelines [10] that documentation should be prepared regarding the choice of whether or not to appoint a DPO.

This documentation may be required by the CNIL or the EDPS in the event of a review.

70,313 entities have appointed a DPO in France as at 14/09/2020.


2.      How the DPO is designated


The choice of the DPO is free.  It can be an internal person (internal DPO) or an external person (external DPO).

The designated person must have the professional qualities required to perform his or her duties, in particular independence and knowledge of data protection law (CNIL-approved bodies issue certificates based on these competency standards) [11].

Once designated, the identity of the DPO must be communicated to the CNIL (online declaration) and to the persons concerned by the processing. An enterprise group may designate a single DPO provided that he or she is "easily reachable from each place of establishment" [12].

If an external DPO is used, the CNIL and the DGCCRF recommend checking the nature of the services offered, since compliance requires more than a simple exchange or sending of documentation but real personalized support to identify actions and ensure their follow-up.


3.    DPO activities

a.      Missions of the DPO

The list of missions established by the GRDP is not exhaustive[13], but its main tasks are to inform and advise the controller or processor and the persons concerned by the processing, to monitor compliance, to cooperate and contact the CNIL, to carry out risk analysis and impact assessments and to keep the register of processing operations[14].

b.     Operating conditions 

The DPO must be involved by the data controller or processor, prior to any processing, in matters relating to the protection of personal data. 

The DPO must carry out his duties with Confidentiality, Independence and Responsibility [15].

The controller or processor must allow the DPO to carry out his tasks, which implies access to the data and processing mechanisms, as well as verification that these tasks do not place the DPO in a conflict of interest situation.





1] Art. 37 to 39 of the GRDP.

2] Art. 37, par. 1 of the GRDP.

3] Cons. 97 of the GRDP.

4] WP 243 rev.01.

5] WP 243 rev.01.

6] Cons. 24 of the GRDP.

7] Art. 10 of the GRDP.

8] Art. 58.2 of the GRDP.

9] Art. 83.4 of the GRDP.

[10] https://www.cnil.fr/sites/default/files/atoms/files/wp243rev01_fr.pdf

11] Deliberation. CNIL n°2018-317 and n°2018-318 of September 20.

12]Art. 37, par. 2 of the GRDP.

13]Art. 39 of the GRDP.

14] In principle, it is the person responsible or a subcontractor to set up this register (Art. 30 par. 1 and 2 of the GRDP), who may entrust this task to the DPO: Guidelines WP 243 rev.01.

15] Art. 28 of the GRDP : Only the controller or processor can be held liable, not the DPO.

$ 4.19
$ 4.19 from @TheRandomRewarder
Sponsors of FrenchLegalAspect