The CNIL publishes a guide for the Data Protection Officer, bringing together the main useful knowledge and good practices to help organisations and support DPOs already in post.
The role of the delegate
Introduced in 2018 with the entry into force of the General Data Protection Regulation (GDPR), the Data Protection Officer (DPO) has a central role in the governance of personal data. He or she must inform and advise the data controller, monitor the organisation's compliance with its legal obligations and act as a point of contact with the CNIL. Although he or she is not responsible for the organisation's compliance, he or she is an essential part of it, capable of combining expertise and advice at all stages of projects involving the use of personal data.
Today, there are nearly 30,000 people in France who perform this function (natural and legal persons combined) for 80,000 organisations that have appointed a DPO. Among these, the public administration, education and health sectors are the most represented.
Obligations of organisations
Public authorities and certain private bodies whose core business involves large-scale processing of sensitive data or data enabling regular and systematic monitoring of individuals must appoint a DPO. This appointment must be made on the basis of criteria including skills, knowledge and absence of conflict of interest.
The organisations' obligations do not end there: they must also ensure that the DPO is not instructed, that he or she is involved in a timely manner in all matters relating to personal data and that he or she is enabled to carry out his or her duties. These requirements can be monitored and, if necessary, sanctioned by the CNIL.
But what are the concrete translations of these obligations? How can we ensure that the chosen DPO can fulfil his or her duties satisfactorily? The CNIL now offers a new practical guide dedicated to the DPO function which answers these questions.
A reference guide for questions about the Data Protection Officer
With the help of numerous professional associations, the CNIL has compiled in this guide the main useful knowledge about the DPO.
This tool is organised in four parts:
1. The role of the DPO
2. The appointment of the DPO
3. The exercise of the DPO's function
4. Support for the DPO by the CNIL
Each topic is illustrated by concrete cases and answers to frequently asked questions on the subject. The reader can also rely on practical tools such as a model engagement letter.
From his appointment to the end of his mission, this guide makes it possible to quickly obtain essential and precise information on the DPO. The CNIL has been particularly careful to provide clear information on how to ensure that the DPO can carry out his or her tasks in completeindependence, without any conflict of interest and with real efficiency for the organisation.