France: The CNIL publishes a practical guide on Data Protection Officers

On 16 November 2021, the French data protection supervisory authority (the “CNIL”) published a practical guide (“Guide”) on Data Protection Officers (“DPOs”). The Guide provides a reminder of the applicable obligations regarding the designation, tasks and missions of DPOs as well as good practices to help organizations comply with their obligation to designate a DPO and to support DPOs already in place with their missions. The guide is in line with the Article 29 Working Party Guidelines on Data Protection Officers (WP 243 rev 01), but provides additional insights and practical guidance to organizations that designate a DPO in respect of GDPR and French data protection act requirements.

The CNIL notes that nearly 30,000 DPOs have been appointed in France, covering over 80,000 organizations. Such figures evidence the success of “mutualized” DPOs designated by two or more organizations. Among the organizations that have designated a DPO, the most represented sectors are, unsurprisingly, the public administration, education and health sectors.

The Guide is composed of four main Parts:

I. The Guide starts with a section on the role of the DPO

  • Provide information and advice. The CNIL provides practical advice to the management and the operational staff who process personal data, in order to ensure that such processing is carried out in compliance with the applicable data protections laws. The DPO must be invited to strategic meetings and requested to provide advice on all processing where his/her intervention or presence must be systematic, notably in case of evolution of processing, conduct of a data protection impact assessment(“DPIA”), revision of existing privacy policies or drafting of new policies, data breaches etc.
  • Monitoring effectiveness of applicable rules. The DPO is responsible for the monitoring of the organization’s compliance with the GDPR. DPO controls or audit may, depending on the priorities, cover inter alia the verifications of the accuracy of the information provided in the record of processing activities, the verification of the compliance of the most sensitive processing activities, the implementation of tools to monitor the usage of personal data as well as the control of the effectiveness of technical and organizational measures.
  • Be the point of contact on GDPR issues. The DPO is the key contact for the CNIL and data subjects. The DPO may assist the organization representative in the event of a dawn raid to respond to the CNIL’s questions on the basis of his/her expertise. The Guide notably specifies that the CNIL will not respond to requests for advice sent by organizations that have not first consulted with their DPO on that specific question.
  • Document properly the processing activities. While the DPO is not responsible for maintaining the record of processing activities, in practice, such maintenance is generally part of his or her effective missions. The CNIL thus recommends that the DPO’s mission letter clearly states that maintenance of such record should be within the DPO missions, and in particular, based on the information relating to each processing activity that will be communicated to him/her by the internal stakeholders in charge of such processing activity

II. The Guide then includes two parts divided in seven practical guidance notes

(i) Appointment of the DPO

This part includes four practical files on (i) when to designate a DPO; (ii) whom may be appointed as DPO; (iii) whether the DPO must be internal, external or mutualized and; (iv) how to appoint a DPO.

The CNIL reminds the cases where a DPO appointment is mandatory, as set forth in Article 37 of the GDPR (e.g., “public authority or body”, “core activities of the controller or the processor” lead to a  “regular or systematic monitoring of data subjects on large scale” and “core activities” lead to a processing of sensitive data at a large scale). It also emphasizes the requirements in terms of professional knowledge and skills that a DPO must present. While there is no “standard” profile or diploma to be a DPO, the organization which designates a DPO must ensure that s/he has the necessary professional knowledge and skills to carry out his/her missions, including in particular regarding data protection and information security and ensure s/he is not in a situation of conflict of interests in the exercise of its DPO function.

In addition, the Guide includes practical appendices which will be of assistance to organizations designating a DPO:

  • a questionnaire with questions to ask and checkpoints when appointing a DPO,
  • a template of DPO mission letter that can be used when hiring a DPO, and
  • the detail of the CNIL online DPO designation form and information to be communicated to the CNIL in that respect.

(ii) Status of the DPO

This part includes three practical guidance notes regarding (i) the means to be made available to the DPO, (ii) its status and (iii) how to manage its departure, absence or replacement.

Some guidance is provided on how to ensure that the DPO can perform his or her duties independently without receiving any instruction to exercise his/her mission, without conflict of interests and with real effectiveness for the organization. The DPO should report at the highest level of the organization’s management. The DPO must be able to rely on resources necessary for the performance of his/her tasks by facilitating his/her access to the personal data and processing activities, allowing him/her to be trained in order to gain the specific knowledge needed and benefiting from confidential channel of communication as needed.

He/she must be associated to all the strategic meetings and projects involving new or existing data processing activities.

The DPO is bound by professional secrecy and an obligation of confidentiality, which must be provided for in the DPO’s mission letter or employment contract.

The Guide reminds that the DPO is not liable in the event of non-compliance with the data protection law by the organization that has appointed him/her: the organization remains responsible of the processing activities it carries out.

The organization should anticipate or organize the departure, absence or replacement of its DPO by ensuring a proper information internally on how the transition will be ensured and check that all privacy matters are continuously monitored.

(iii) The third part of the Guide highlights the CNIL support to the DPO

The CNIL supports DPOs by providing them different categories of tools: (i) for their  training (the CNIL’s website, workshops and webinars, online training such as MOOCs), (ii) to respond to their requests (telephone hotline and dedicated email address) and (iii) compliance tools (record of processing template, DPIA  tool, various compliance packages and  documents such as practical guides).

(iv) The fourth and last part of the Guide is comprised of

  • a Frequently Asked Questions section which includes questions such as how to find a DPO, what is the benefit of DPO, where should the DPO be located, what language should the DPO speak, how can the DPO be trained, etc.; and
  • Annexes:
    • (1) a questionnaire including a checklist of attention points when appointing a DPO;
    • (2) a template of a letter defining the mission when appointing a DPO;
    • (3) a description of the online DPO appointment form available from the CNIL’s website; and
    • (4) a glossary of terms used in the Guide.

Since the DPO is a key component of the data governance within an organization, this Guide is most welcome as it provides clarity and responses to several practical questions raised since the GDPR entered into force through concrete examples and FAQ.

Denise Lebeau-Marianna, Alexandre Balducci and Divya Shanmugathas

For more information, please contact Denise Lebeau-Marianna